Security Strategy For Sensitive Data
Feb 29, 2008
I am working towards launching a site that, among other things, will be a repository for sensitive data on war crimes. As these crimes are ongoing, and occur in a location where assassinations are endemic, I need to develop a comprehensive security strategy that takes into account all levels of the interface between end user / witness and the site / database itself.
I have considered, but am open to insight and advice on, the following:
1. Data security laws in given countries, in order to ensure the privacy and integrity, as much as possible and away from political / state interference, of data communications. Concerns include the interception of data in transfer and the security of stored data (the United States and the UK are almost certainly cancelled out in this regard. Canada appears significantly better, though Greece, it appears, has the greatest level of legislative protection).
2. Encryption as a technique to ensure the security of transfered and stored data. I am particularly interested in best practice advice on encryption.
3. Javascript as a means to establish a more secure interface between the end user (i.e., the browser interface) and the secured database into which sensitive data will be inputed. Has anyone used this, or other techniques of overcoming the inherent insecurity of the browser interface?
4. Various best practices concerning php, MySQL and Apache security. Any and all advice, or guidelines, welcome.
5. Considerations relative to dedicated hosting, and also colocation hosting as an option.
In general, my problem is to ensure that the identities of witnesses, so much as is technically conceivable, can be protected from extra-judicial interference or surveillance. Nothing about this site will be illegal in any way. The problem is that the witness testimony will be about the actions of a powerful state that has demonstrated its disrespect for law.
Ideally I'd find in these forums a few individuals with whom I could discuss these technical matters off-forum. At the same time, general responses would be values.
The site that I'm building is non-profit (indeed zero budget) and does not represent any political party. It's a people's initiative, against aggressive violence and in support of international law.
View 1 Replies
ADVERTISEMENT
Jul 9, 2009
I just want an expert opinion if what I am doing should be considered to be secure (or if there is a more secure way to do what I am doing). I made our hotel's online reservation system and it stores the guests' credit card information.
The card is encrypted using AES (MCRYPT_RIJNDAEL_128) and the key that is used to encrypt/decrypt must be entered from the client side in order to log in. It is not stored on the server. So that my employees do not have to enter it every time they want to log in, it is stored in a cookie on their computer or entered manually if the cookie is deleted. When logged in, I have the key stored in a _SESSION variable in a subdirectory of that account's home directory and have the following attributes (for example):
Quote:
-rw------- 1 nobody nobody 0 Jul 9 16:48 sess_c1744d96fe87def6814db2c5936e1b1d
Does this seem like a secure enough way to store/encrypt/decrypt credit card data?
View 5 Replies
View Related
Jun 22, 2008
I am moving one of my site from windows to centOS hosting. The problem is that the new server is case sensitive for folders and file names. I had all my folders in capital letters previously and also all my links inside pages(www.domain.com/FOLDER/Page-Name.php).
I have nearly 1000 pages and most of them are indexed in google in this format
[url]
Now i have renamed all my folders, files and links inside the files to absolute lowercase.
View 4 Replies
View Related
Sep 21, 2009
This morning BlueSquare/Poundhost sent out an email to all their customers, announcing a special deal to all current customers, that sounds great right? Sure, except the CC'd instead of BCC'd all of their clients in on the email.
Since then everyone who's email address stards with anything up to the letter B - around 100-110 addresses - received an email containing the ****** image with the message
Followed by this from BlueSquare:
Quote:
Earlier today an email was sent out to all customers providing details on a dedicated server special offer. Unfortunately this email was sent out using the CC field and not the BCC field. This was not a breach of security, but a genuine mistake on the part of the sender who was not aware of what had happened until the email had been sent, and as such the sender has been suitably reprimanded.
We realise the seriousness of this error and have now taken automatic steps to ensure this cannot happen again by limiting the maximum recipients on our outgoing mail server to a small number, as well as updating and limiting staff on the use of the mail list system.
We are aware that some of our more unscrupulous competitors may have already obtained a copy of this email list and may contact you in due course. If you do receive an unsolicited email, to reduce further unwanted spam, please use the unsubscribe option which they are legally obliged to include.
View 14 Replies
View Related
Dec 4, 2008
I just signed up for dedicated server at Softlayer with cPanel, mySQL and CentOS. I'm moving a site that is on a VPS with WHM. I know that cPanel has a transfer site feature.
I was considering hiring a service to migrate my site and to harden my server. Is this necessary or should I simply move it via cPanel? Things are tight and I don't want to incur an unnecessary cost if I don't have to. I defer to the members here at WHT for your recommendations.
View 3 Replies
View Related
Nov 3, 2009
I am asking myself what the best backup strategy for my dedicated server could be. I do not host any commercial website on it (just private ones), but we all know that even losing non-commercial data hurts.
What I already do:
More or less recent backups of the most important websites (just webspace, no email or database) on my local computer
Having hardware Raid-1 on the server and 2 HDs
Using R1Soft Backup Space provided by my server host
I would like to add some FTP space at an external (!) DC to do scheduled cPanel backups.
I think that a further dedicated server or VPS will not be necessary for this task.
Can you recommend a provider of pure FTP Backup Space which is reliable, at least on a 100 Mbps line and affordable?
I guess I need about 100-200 GB of space to keep daily, weekly and monthly backups.
View 14 Replies
View Related
Jul 22, 2009
I am writing a website in PHP and just about make the first version live.
I'm a bit concerned with backups at the moment. I don't want to lose all the data, as a lot of effort will be put into adding content to the site. It uses a MySQL database as well as the file system to store data.
I was just going to do MySQL dumps nightly, but I realized that I know nothing about the topic and therefor should ask advice before writing code in PHP ( which only run for 30seconds max? Is that long enough to backup?)
What is the common practices to do backups on a CMS type site? How often? How do you manage backups? Where do you store them too? Does doing backups effect performance? Do you do full backups or just changes? If I write a backup script, should I try do it in perl/python/bash or stick with PHP?
Or any other information which will fill me with confidence.
View 3 Replies
View Related
Aug 18, 2007
I'm gonna order my first dedi box. So one question comes up: How should i partition the HD ? It's a low end box with 120gb HD containing CentOS + Plesk, hosting 4-5 websites, nothing special.
Here is my plan:
Quote:
/ - 5gb
/boot - 1gb
/swap - 1gb
/home - 3gb
/tmp - 5gb
/var - 40gb
/usr - 5gb
/backup - 60gb
View 8 Replies
View Related
Apr 12, 2008
Surely it is good to have backup, even remote backup, but do you check them on a frequent basis to ensure that they are valid backup ?
What is your backup startegy and how do you verify your backups to ensure they are not corrupt and ok ?
Im interested in cpanel backup strategies.
View 1 Replies
View Related
Jun 6, 2008
We are going to host an application for 20 customers. Our application is related to online order system. We will create 20 virtual host on Windows machine. Application developed in dot Net and database is MS SQL 2005. each client have its own database. I Just want to get an Idea from you people about CPU, RAM, Hard Disk, and Bandwidth.
View 1 Replies
View Related
Oct 10, 2007
when I do "yum update" at my centos 5 box, I saw over 40 packages needed to be updated.
For example, there's minor version update for MySQL 5.
so I am wondering how to determine which packages are absolutely needed.
My box is used to serve web applications. I just want to make sure that it's secure.
View 1 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Sep 8, 2007
I have 100+ sites on this hard drive, and one site in particular that meant the world to me.
My host sent the drive to Gillware first, but they failed saying that the file system was so severely damaged that they could not recover anything.
Then shortly after, my host sent it to DriveSavers, a very well-known company, but they also FAILED.
I'm extremely depressed because of this. Please don't post if you're going to say "make sure you do backups next time" because I've heard it 504329504395 times now, and while I do realize my mistake, saying that does NOT help me.
I am willing to spend ALOT to get my sites back. I still have hope. Are there any other companies out there BETTER than DriveSavers? Assuming that you'd still have hope even after two companies failed, where you would you go or what would you do?
View 14 Replies
View Related
Feb 20, 2007
How can I find the data transfer rate on the server. I have done ifconfig -a , it
display the amout of data has been received and transfered. I want to see the live data transfer date. Can I able to check it?
View 6 Replies
View Related
Aug 28, 2007
My host just recently sent the hard drive with my sites to a data recovery company called Gillware. Website is [url]- but they failed and gave the following reason:
Quote:
Originally Posted by Gillware
Unfortunately, your file system was so severely damaged that no data can be
recovered. We will make arrangements to return your drive via UPS. Sorry
we could not help you further.
Gillware Inc.
Do you guys think there's still hope?
The hard drive is now being shipped to a more well known company, Drive Savers - [url]and I'm guessing that this is the last hope, because the more the drive gets tampered with, the more chance of permanent data loss.
So yeah.. I was just wondering what you think? If the file system is so severely damaged, do you think it STILL can be recovered?
View 2 Replies
View Related
Jul 16, 2009
I have regarding hosting/designing my application. Users of my website upload highly sensitive files to the server. I'll use SSL but will that be enough since the files are not encrypted on the server. I tried to encrypt the files but that is adding a huge overhead.
My first question is - is it a good idea to store the files on the server rather than a database? My other question is regarding hosting; I'm thinking of building my own server and host it in a colo. Is colo more secure than dedicated hosting? Currently i'm still in the process of developing my App and my environment is Windows Server 2008/SQL Server 2005.
View 13 Replies
View Related
Feb 9, 2007
Is there any problems with having duplicate rules in different files as I have downloaded some rules and am going to make them all into one file to give me the best protection, but this is going to take time and I really need some sort of protection now
View 2 Replies
View Related
Aug 25, 2007
after install ConfigServer Firewall i get the following ...
ConfigServer Security & Firewall - csf v2.89 >>
PHP Check >>
Check php for register_globals >>
WARNING >> You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and set:
register_globals = Off
unless it is absolutely necessary as it is seen as a significant security risk
must i modify it?or not? put in ur consideration i tried to download it to modify an error occured!
View 2 Replies
View Related
Aug 24, 2007
I am on a shared server account with Lunar Pages basic hosting plan.
The only script file I have up running is db Masters FormM@iler. It runs on Cpanel. I deleted whatever other scripts I could find on my server. The site is just basic html pages with jpgs and a gif.
Is there much else I really need to do to secure the server or is that more in Lunar Pages' hands?
If there is still more I can do to secure the server, and is it a small amount that's easy to do or would it be wise to just hire someone else to put in a few hours making sure everything is truly set up securely?
View 5 Replies
View Related
Apr 23, 2007
I have a vps that has been exploited, and the hosting company is giving me advise on what to do to fix the security problems, but i need a good server administrator/company to help me with this. can anyone recommend a company that will go thru my server,
View 8 Replies
View Related