Most web site security software is designed to stop theft of data or denial-of-service attacks, but Lockstep Systems Inc.’s new security application attempts to minimize the embarrassing (or worse) effects of attacks that alter or deface company Web pages.
WebAgain 1.0, which was released last month, is a relatively simple program that essentially acts as a staging server for Web content. All approved content for a site is published to the WebAgain server, which then compares that content to the content in the site directories. If Web Again detects that a page has been altered, it replaces that page with the content in the Web Again server.
WebAgain monitors Web site directories directly via FTP or a network share. It can effectively monitor sites using dynamic content because it detects changes only in the scripts and not in the content being pulled by the scripts.
Although in tests eWeek Labs found Web Again to be an effective program for minimizing the damage of Web site defacement, we believe sites can easily build similar protection themselves. For example, administrators at many of the federal agencies whose Web sites were defaced last year have implemented simple automated scripts that regularly update the live site files with a secure site copy in another directory, making it difficult for any site defacement to stick around.
Nevertheless, WebAgain passes two critical tests for any product that provides a service that businesses could implement themselves: It’s relatively simple to use; and, at $349, it’s inexpensive enough to make it worthwhile as a time- and cost-saver relative to creating and implementing scripts.
Businesses should implement some form of site defacement protection, whether they purchase a product or do it themselves. The government site defacements were as obvious as graffiti, but more insidious site alterations, such as a changed support phone number or an altered price in a release, can be easily missed and can cause greater damage.
However, companies should not expect these types of applications to provide full protection against changed or stolen content –two common attacks that involve techniques about which security administrators can do little. The recent hijacking of the Nike Web site involved one of these, a redirection technique that exploited poor e-mail-based management policies at the domain registration company. The second technique, mimicking a Web site, recently caused major confusion at several high-profile sites, even though it was obvious the content wasn’t located at the actual company’s Web site.
The WebAgain server runs on Windows NT but can monitor any Web site that has FTP or directory access. Because WebAgain uses its own FTP server for regular, everyday Web site additions and edits, it should be installed on a system without an FTP server, or the port number used by one of the servers must be changed.
Initial installation was very simple, and we easily defined multiple sites to be monitored by WebAgain. A wizard stepped us through choosing whether users would publish to the WebAgain server using FTP or a directory share, and whether WebAgain would use FTP or a directory share to publish to the live Web servers.
WebAgain also includes the must-have ability to monitor and publish to several mirrored servers at the same time.
Double the publishing
Before webagain could begin monitoring a site, all the site content had to first be published to the WebAgain server –a needless hassle. This step was tedious, especially with large sites being published through FTP. We would prefer an initial setup option that automatically loads the entire site.
Plenty of other tools, including site management packages and development applications, have the ability to automatically harvest files from a site.
Once we had defined our sites, we could configure how often WebAgain would scan a site for changes. The default is every 15 minutes, and we could scan as often as once a minute. It is also possible to configure alerts to be sent through e-mail, SNMP or the NT event log whenever an altered file is detected.
When WebAgain detects a file that has been changed, it places the file in a quarantine directory. This was useful to actually see what types of defacements occurred after WebAgain had removed the files from the Web site. However, we would also like to see WebAgain use the server information to list the location from which the file was loaded; this information would be useful for determining if an attack originated externally or internally.
WebAgain ignores some files for good reason, such as Web cam and database files that change constantly simply by their nature. However, Web Again’s inability to deal with files that have been added to a site is a major weakness. The product can look for changes in files that should be on a site, but if an attacker adds a file through a compromised connection, WebAgain ignores it. This would enable an attacker to add a page and then send e-mail or newsgroup messages directing people to a fake file on the actual company site.
In addition, if a site is using default directory pages such as index.htm or default.htm, it’s possible that an attacker could add a file that ranks higher on the default page hierarchy than does the actual default page.
To address this problem, WebAgain should implement some form of directory synchronization –any do-it-yourself solution could employ a directory synchronization tool for this capability.
Because the WebAgain server becomes a staging server for the Web site, it is possible that the server could become a target for “officially” adding altered files. However, We b Again makes it simple to define fairly strict IP-based access policies to its publishing interface. In addition, most attackers wouldn’t know to look for the WebAgain server in the first place, and it can easily be placed behind a firewall.
Web sites that want to protect themselves against embarrassing and potentially costly Web page defacement should take a look at WebAgain, an inexpensive but effective tool for minimizing the damage of these attacks.
Short-term business Impact: WebAgain can quickly provide a layer of protection against Web site vandalism, although some content authors will have to adjust to different content publishing methods.
Long-term business Impact // As new technologies emerge and sites grow more complex, businesses will need to build or purchase more advanced tools, such as Web Again, that can look for a variety of changes in many different types of content.
Pros: Can monitor Web page content, including dynamic pages, for alterations and remove changes; easy to implement; publishes to multiple servers; inexpensive.
Cons: Can’t monitor for files added illegitimately to a site; entire site must be republished before it can be monitored.