Wimpy Web Hosts Hope Hackers Won't Scan

Share Article

Many web hosts lack confidence in their own security services and fear scans may reveal their vulnerabilites. LogiGuard scanning exposes security flaws that many weak, insecure hosts don't want you to see.

You may want to see how confident your Web Host is when it comes to survey scanning and vulnerability testing. According to Salvador Periot, Technology Strategist for LogiGuard LLC, there has been “an increase in the number of web host administrators who are terrified of port scans.” LogiGuard offers HackerGuard, a product developed and used for port scanning and testing for SANS top 25 vulnerabilities and other security holes that can be found within a website.

These wimpy web hosts are simply not living in the real world. They are terrified of port scans for a very good reason—these scans do work and they can find weaknesses that otherwise might remain hidden to all. If a weakness is found, they may actually have to beef up their server security which may take a little time and money away from the leisurely lifestyle of the web host. What they really can't accept is that if the 'good guys' aren't scanning your network and probing against vulnerabilities to help you make informed security decisions, you better believe the 'bad guys' are probing and scheming about how to exploit the vulnerabilities that they might find.

Used mainly on the enterprise level, the scanning process used by LogiGuard is quick and painless. However, Mr. Periot states that far too many web hosts come back and complain that they don't want to be scanned, using excuses that the testing process may tie up resources, or worse, complaining that it may “crash” their server. This thought pattern is the same as an automaker that won't crash test a car because it may show weaknesses in the car. Web hosts need to take responsibility for their server security and accept that some security changes may be needed. “Scanning is a way of web life and will only get more intense as resources expand and methods for scanning are improved and refined,” commented LogiGuard's Mr. Periot.

Not all web hosts play dead monkey with real security issues. We were happy to see welcomed responses from Host Color in a recent press release, offering guidelines on securing PHP and Perl applications. The hosting company security specialists also underline how important it is that all web applications are updated regularly. "Our company has always placed a strong emphasis on security. The main problem that we face however is that too many webmasters do not realize that they need to think about all security implications when they install any software on their accounts. A recent example of the type of problem that we face is that many of the 'Contact us' scripts that our customers install are vulnerable and can be used as open-relays by spammers. This causes serious problems for the servers since it can turn them into sources of spam. We have added detailed instructions on how this can be avoided. We have also give simple examples of what Code and SQL injection are and how those intrusions can be stopped as well," says Stoyan Marinov, Host Color's Security Specialist.

LogiGuard's Marketing Director Wendiann Trent adds, “Buck up web hosts! You may not always like the vulnerabilities exposed, but if they're in there, you need to take proactive measures to protect your customers against fraud and theft. Of course, you may find that you may well be hosting a hacker or two, who has been exploiting one of your weaknesses for months! Consider this a godsend and respond accordingly.”

As for poor customer service and a paranoid reaction to the scanning process, one large web hosting company threatened to have their customer removed if he did not discontinue the daily vulnerability scans. This is one of the more extreme examples of web host insecurity that has been displayed over recent months. If a bank officer is afraid of a mock bank robbery while the banking center under his own surveillance, the banking center probably has huge weaknesses which the bank office is either trying to hide, or too lazy to repair or both. Would you feel comfortable depositing your cash, especially anything over $100,000, into a bank with such anti-testing policies?

When searching for a web host, stay away from the web hosts that do not welcome vulnerability testing or have an anti-scan policy. Seek out web hosts who are concerned about server security and have open minds about how to maintain a high level of security for their customers. They do not have to agree with results or conclusions from the scan report, but they should carefully review the results, embrace the increased awareness in learning about the security of their server, and reaffirm to you that they are doing everything they can for you and your customer's on line security.


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Wendiann Trent