Category Archives: Security and Privacy

Recent Brivium Hacking Case & How You Can Prevent It

Online Security is becoming more and more of an issue today. Hackers and crackers seem to be more and more common. If you’re following the admin community as closely as I do, you’ve probably been aware of the recent issue involving Brivium and their recent hack of The Admin Zone. If you aren’t already aware of this, Continue reading

Pros and Cons of SSL on a Forum

SSL is a technology which secures communications between your users and your website. In the case of a forum, it allows you and your members to log in without having to worry about whether your password is entirely safe or not. You can tell whether a website has SSL by checking for the green lock beside the address bar when visiting the website. However, there are also negatives to using SSL. This article discusses both the positive, and the negatives, of using this technology on your forum.


The Positives: Why to Use SSL on your Forum

There are several reasons why SSL is a good idea for your forum. Here are the reasons why.

  • Security: Using SSL, you can be certain that your members’ passwords are entirely secure. That means secure, not only from a hacker, but also from government agencies, and anyone running a program similar to FireSheep on the same wifi network as you or your users.
  • Confidence: When using SSL, web browsers will display a green padlock beside your website’s link in the address bar. This can make your website look more official and more safe. Particularly for any website which takes credit card information, this is entirely essential.
  • Search Engines: SSL is known to positively impact a website’s SEO. For example, Google has a publicly known policy in which websites which have SSL are given preference in search results to websites which do not have SSL. For this reason, a website which seeks to have good SEO should consider using SSL.

These benefits can be very important for a forum. However, there are also negatives which are very important to take into account.


The Negatives: Why to Not Use SSL on a Forum

There are several negatives to using SSL on your forum. Below is a list of the negatives which I am aware of.

  • Price: To use SSL on your website, you must have an SSL certificate. These are, unfortunately, not free. Prices generally hover around $90 per year. However, if you purchase from the right vendor, you can buy an SSL certificate for as little as $15 per year, or $25 for two years. I recommend buying an SSL certificate from HawkHost.
  • Slowness: An SSL connection takes time to initialize. This can be mitigated by generating an SSL key which is 2048 bits in length, instead of the 4096 alternative. However, connections to your site will still be slower with SSL than without.
  • Maintenance: An SSL certificate must be renewed every year (or a bit less often if you purchase in advance). It is similar to a domain name in this regard, but with one key difference. When your certificate expires, you must replace it with a new certificate. You cannot directly renew your old certificate. This is not very difficult using cPanel, but if you forget to do this, then your website will experience downtime while you figure out what to do.
  • Downtime: If you forget to renew your certificate, your website will experience downtime.
  • Advertising: When you sell advertising on your website and use SSL, people who purchase your ads will not be able to see in Google Analytics that traffic is being referred to their site from your site. This can make advertisers decide not to use your forum, because they cannot view the statistics.

Conclusion

SSL is a valuable feature for a forum, but every forum does not need SSL. If you decide to switch to it, you should evaluate carefully whether you really need SSL on your forum, or whether it will just add additional headaches for you, your members, and your advertisers.

Fighting Spam Effectively: The Three Layer Defense

Fighting spam effectively can be difficult, but using three different technologies, it can be quite achievable. Forums do not need to use member validation, or impose the requirement to first post in a particular forum. Instead, a forum needs to use the following three techniques to form a passive and active defense against forum spam.


Defense Layer #1: Good Anti-Spam Software

The most important aspect to any spam defense is software. Within this “Layer,” an administrator should use four different technologies to defeat spam. Those technologies are as follows.

  • reCAPTCHA: Google’s reCAPTCHA is currently the most effective anti-spam mechanism. There are other tools which integrate ads, or allow the user to simply slide a bar to verify that they are not a spam bot, but these are less effective. There are reCAPTCHA plugins for all major forum systems.
    • MyBB: http://mods.mybb.com/view/recaptcha
    • phpBB: https://developers.google.com/recaptcha/old/docs/phpbb
    • IPB: Built-In.
  • Q&A CAPTCHA: For bots which are sophisticated enough to split past reCAPTCHA, Q&A CAPTCHA is a very effective defense. Simply define a few custom questions, such as “What is the name of this forum,” or classically, “What color is the Sky?” and most bots will not be able to create accounts. Note that for larger forums, a bot may be designed to know the answers to these questions, so this defense should be used in conjunction with reCAPTCHA.
    • MyBB: http://community.mybb.com/thread-83250.html
    • phpBB: https://www.phpbb.com/support/docs/en/3.0/kb/article/how-to-configure-q+a-captcha/
    • IPB: Not necessary because of IPS Spam Services
  • Email Validation: This is a feature which most modern forum systems use by default. It stops a very large number of spam bots, but not all. This is most likely enabled on your board by default, but if not, I recommend enabling it.
  • Spam Databases: There are a number of alternatives for different spam databases to use. For IPB users, IPS Spam Services (which is bundled with your IPB License) is extremely effective, and prevents a vast majority of all spam. For non-IPB users, StopForumSpam is a very good option to use.
    • All major forum systems: http://www.stopforumspam.com/contributions
    • IPB: Use IPS Spam Services, which is built in to IPB.

 


Defense Layer #2: Permanent Bans & Cleanup Tools

Despite the strong defenses of layer #1, there is a class of spam bots which will evade them, and still cause issues on your forum. If your forum is large enough, these potential spam bots include human beings.

The most effective tool for dealing with spam bots who have passed through layer #1 are immediate, permanent bans. But also, you will need to use a good removal tool to remove their content from your forum. Below are instructions on how to do this on major forum platforms.

  • MyBB: Use the following plugin, or the “Delete User” feature of the ACP: http://mods.mybb.com/view/goodbye-spammer
  • phpBB: Refer to the following support topic: https://www.phpbb.com/community/viewtopic.php?f=46&t=1187175
  • IPB: Hover over the user’s name and click “Mark as Spam.” Searching “Mark as Spam” in the ACP will allow you to configure what this button does.

However, there are some spam bots which are so clever, that even the most intelligent admins cannot be sure that they are spam bots. There is one final defensive layer to use against these nasty customers.


Defense Layer #3: Moderator Queue

Sometimes, a user will register, post a perfectly allowable topic asking a question like “What dating script should I use?” Once a couple members have replied, then will then say “Actually, I decided to use <insert  link here>. It’s a very good product!” When a new user posts something suspicious, the admin should then add that user to the moderator queue. That way, if the user turns out to be a real person, and it was all a misunderstanding, then the user can be taken off the moderator queue. Here are instructions on how to do this.

  • MyBB: Create a new group and check “Moderate new posts” on the edit group page. Add suspected spammers to this user group as their primary user group.
  • phpBB: Create a new user group, and configure its permissions for each forum to “Moderate new posts.” Doing this is beyond the scope of this tutorial, although a google search for “phpBB Moderator Queue” will help configure this. When you identify a suspected spammer, add that user to this user group.
  • IPB: Create a new user group. When editing the group, under Forum -> Restrictions, set “Moderate content of everyone in this group?” to “Yes.” When you identify a suspected spammer, add that spammer to the user group you just created. Make that the user’s primary user group.

Basically, the moderator queue requires moderators to manually approve each post by the user. This can be burdensome, but if a user continues to spam after being added to the mod queue, then the admin can then proceed to ban the spammer.

NOTE: Do not set up your forum to add newly registered users to the moderator queue, unless you are very certain that that is a good idea. Only add spam bots who get past layers 1 and 2 of your anti-spam defenses to the mod queue, and do so manually via the ACP. Adding all users to the mod queue by default will discourage them from posting.


Conclusion

Spam is a problem which many forums have. Using a three-layer defense, administrators can thwart all spam, and keep their forum clean of advertising. If you found this tutorial useful, or have any questions, please leave a comment on this blog post.

Thank you for reading!

Internet Security – What You Didn’t Know!

This article was first posted on our blog on 28/01/2011. For this reason, the information may be outdated and no longer reliable/correct.


We’ve all heard about viruses or been hit by one. It’s never a pleasant experience no matter how big or small it is. That being said, what different kinds of viruses are there, and how can we protect our vital information from being stolen?

For several years now, I’ve been a programmer. Be it PHP, C++ or Python, I’ve at least basked in it’s glory; when it comes to malicious code, I’m the expert.
There are several types of virus from which you want to protect yourself, and if you’re a bit lazy like I am, you may want to install an AV (anti-virus) that does the job for you.

Botnets

A botnet is not a virus that you want to be handling. They infect your PC silently and allow the person who deployed it to control your PC at any given moment. Some can even turn your computer on in the middle of the night across the internet and access your files whilst you’re asleep if you’ve got a WEP/WPA/WPA2 key saved on your local drive. This is common amongst hackers since many of them are actually scared of being caught despite their reputation for bragging.
There are many ways of defending against botnets; one simple way is not to store internet keys locally. That being said, it’s my strong suggestion that you keep a physical copy of your internet key (if applicable) and type it in whenever you turn the PC on.
In addition to this, you may want to install an anti-virus to protect yourself. Please see the links at the bottom of this post.

What damage can a botnet do?

Good question! A botnet is a dangerous virus that allows the user to control your PC, so technically, the botnet doesn’t do any harm at all. It just sits in your C:/ drive and waits to be told what to do. The user himself dictates what it will do which can include copying your files to a remote server, logging your keystrokes, watching what you do, or just playing around on your PC to annoy you!

Info Stealers

These are sneaky little buggers that will rob you of everything you have. They bind themselves to files and then are ran by the victim. They generally look like genuine files, such as installers for MSN or Skype, and they collect all of the cookies and passwords stored on your PC and send them to a remote server.
These files are then analyzed by the person who sent out the virus, and your info is then unsafe!

How can I defend myself against these?

Luckily, info stealers are highly detected. Many AVs are updated automatically, and the new viruses are added to their databases, so if you have an anti-virus, you don’t really have any reason to worry.
However, if they crypt the file, there is cause for alarm. This means that the code inside that is detected by the anti-virus is now scrambled and not necessarily detectable. The only real way around this is to run it through Sandboxie. Of course, trusted software such as Microsoft products from official sites is safe, but for anything you might be cautious about, use Sandboxie.

What is Sandboxie?

Sandboxie essentially creates a new drive within your C:/. By doing this, all of your files that contain any information are separate, and safe. If a program contains a virus and it is run within a Sandboxie environment, it can only hunt the files within the Sandboxie “S:/” drive, thus preserving your info!
Links:
AVG Free: http://free.avg.com/gb-en/homepage

This antivirus is brilliant if you want a free but effective one. I wouldn’t suggest buying it; there are much more powerful ones for only a fraction more.

[b]Kaspersky (30 Day Trials): http://www.kaspersky.co.uk/trials
Kaspersky (Paid): http://www.kaspersky.co.uk/store

Sandboxie (Free!): http://www.sandboxie.com/