What are your Priorities for Securing Your Site?

[webmaster]

When it comes to securing your Dating Site, my take is that you need to protect the contents of your header.inc.php file which contains all the Database Login information and can be hacked to get anything from your system, including your system.

Ask anyone who has been hacked by the moron or group of morons that identify themselves as "Turkish Hackerz"...

People get all excited about the fact that the Dolphin/aeDating database contains plain text passwords but frankly THAT is the the least of the security issues that they ought to be worried about, given the current state of dating site software technology.

If you use just a tiny bit of common sense and think about it for a second. What is the "cost" if someone hacks your database and finds all the member passwords? What are the consequences and benefits to the hacker? Well, they can log into the user accounts of the system they just hacked. What other horrific damaging consequences do "plain text" passwords represent in a Dolphin or aeDating system have?

The plain answer is that the sum total cost is ZERO because the plain text passwords don't give the hackers a single thing they don't already have, THE SYSTEM PASSWORD! The system password which they got from HACKING the cross site script vulnerabilities NOT from hacking the DATABASE directly, though that is certainly a possibility but in the same order as the cross site scripting vulnerability...

Here is what I know for sure from analyzing dozens of attacks on my own sites. If you don't protect your Include files you might as well post the system password on the front page of your site because you left the door open anyway.

I also know absolutely that the hackers have a script that they run to try to find "open doors" on vulnerable Dating Sites(and other sites too but dating site are especially attractive to them). Once they have found an accessible target, the same script gives them SHELL access on the vulnerable site. One of the functionalities of this shell is to be able to edit files in YOUR directories and they have access to the complete directory structure including the /inc folder. Another part of their script is a file editor that allows them to open any php file on your site including your header.inc.php file. Once in the header.inc.php file its a nobrainer to write a 10 line script (that the hacker's script allows them to execute in real time) to get the Admin username and password to the Dolphin Admin Panel. As you know, once you are into the Admin Panel you have access to downloading the entire Database and on and on and on ... You getting the Picture here? This is REALLY UGLY STUFF!

From a totally pragmatic point of view, the only things the hackers are interested in on your Dolphin/aeDating site is the thing that is easiest of turn into revenue, your membership email list NOT the member passwords! Having said that, I don't for a second discount the fact that some hackers are in the business of harvesting financial information and could possibly extract something from the hacked database, dolphin/aeDating databases generally does not contain any specific financial information though certainly a clever hacker could probably process the information that IS included to get that sort of thing if a member was stupid enough to leave or use telltale information in their profile like a pin number for a password etc. but if it is not blatantly obvious it is unlikely to be on the hacker's radar screen.

Fortunately, hackers are generally NOT a very patient lot and not terribly clever. They are primarily interested in the quick score! Verifiable or verified email address have a value and can be easily sold on the SPAM market. Your log files and history files contain REAL PASSWORDS to REAL things that CAN do some damage to your financial security!

Hacker are far more interested in quick score gold mines described, not profile passwords that offer no immediate return or have no potential to be converted to cash!

Here is the short version, SECURE YOUR INCLUDE FILES! MAKE IT DIFFICULT TO HACK (MALICIOUS HACKERS ONLY WANT EASY TARGETS GENERALLY) DON'T MAKE IT EASY FOR THEM. VERIFY ALL THE DATA THAT COMES INTO YOUR SITE FROM FORMS, BLOGS, GUESTBOOKS, EVERYTHING! DO NOT TRUST USER INPUT... EVER! VERIFY THAT THEY ENTERED WHAT YOU THOUGHT THEY WERE SUPPOSE TO ENTER!

That's my 20 cents worth, sorry if it looks like a rant but I have been a target and have managed to keep the bad guys out with a little bit of diligence and a LOT of self defense on my sites.

Password protect your ADMIN folder! Its a PITA to have to enter a double password every time you want to get into your Admin Panel it is a much, much, bigger pita if you site gets nuked by a mindless moron who thinks its fun to trash people's sites... ALL my dating site ADMIN folders are double password access and my code prevents direct access to my include files,

best regards, webmaster extraordinaire