New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
What's new about it? Both backup systems and vulnerability scanners have been around forever, and only one of those generally actually works.
Okay, so the "platform" isn't actually doing much, it's mostly just you analyzing issues and then broadly applying the fix to all customers? Or what exactly is the idea here?
There's a reason AV software companies have largely moved over to heuristics. Signature-based scanning just isn't that effective anymore, given how easy it can be to circumvent it. If you're looking for specific hashes, it will be even less effective, because a one-character change can throw it off...
Why not argon2i or scrypt?
So it's a good thing that you're being fairly explicit about the crypto used (what mode, though?), but what's concerning me is that you're glossing over the actual likely attack: someone compromising your storage servers while running. Encryption won't prevent this.
Depending on situation that's not necessarily avoidable, but I would expect you to state that clearly, not squirrel it away in a statement that sounds like everything is magically encrypted and protected.
Possibly, though not certainly. But the real problem here is that you're adding another environment that could be compromised (thereby increasing the attack surface), and it's not entirely clear why that would be a good idea.
What does your service actually, concretely, provide in terms of security? "Vulnerability scans" (current-gen signature-based ones, anyway) are notoriously ineffective, and certainly don't require storing a full copy of a site on an additional system. So what's the value proposition here? What do you do that the hundreds of other vulnerability scanners can't?
@FlamesRunner
Nice and sweet!
BountySite would be a mere code revisioning system for such cases.
Q: What if the FTP client connects to evil FTP server and leaves hacker reverse shell access?
There has to be a vulnerability in python.
Besides, the binary runs under apparmor, which gives me few layers of additional security.
If still not convinced, I could offer with grsec. The pricing of grsec is the only factor why I did not build into storage. Once upon a time, it used to be free. I can provide customized solutions on storage based on requirements and budget.
I did think of designing with multi user level, but even if one account is compromised it is still as bad as it gets.
May be docker or LXC based containers is better, but it can increase complications in managing.
Another level of mitigation wrt to hosting provider partnership, is to allowing client add only a specific set of IP addresses as owned/provided by the hosting provider. This works for partner based programs. So, can't connect to evil FTP server(just saying).
Besides, for partner(hosting/reseller/white label) based programs we offer/accept dedicated storage servers. So, only partner's customers are stored on the node.
There is no other attack surface on the storage nodes.
Storage node has to be installed with vanilla Debian Stretch off iso, with openssh only. I have a script which does scanning to tell me if there is anything out of place, and need to be sent for reinstall. Also, incase of a storage server reboot, the services are not brought online till manually completing the above scan. The root OS is not encrypted and could have someone with physical access login(may be) and insert something.
FTP credentials are not stored on drive, in clear text post decrypting. FTP credentials are always in encrypted format in storage. To be able to sniff it out of memory, you need root level access.
I did see your sign up from disposable email address.
I will admit that building UI is not my strength. I did start with building mobile friendly, but lost focus somewhere down the line. I agree that UI needs better hands. I am currently more focussed on the functionality and security part.
I am a little obsessed with speed though. I have plans to cut down and make UI faster, but down the priority lane.
If you don't have a problem, I dont have anything to solve.
Your questions did put light on few things.
Regarding Testimonials, I would never have a name with company name put out. They would be a sitting duck. I think it is a bad idea having testimonials at all, when it comes to security. I think I better knock out that section.
I should have come out with videos on how to do things rather than just putting forth features.
@LosPollosHermanos
Couldnt agree more on this!
Exactly, what I am trying to accomplish with BountySite. Instead of blindly cleaning up sites, you can investigate a website hack.
Even in the case of website restores from hosting provider or via interface, it is a mere guess work. You are only hoping that you have restored your site to pristine version. It is a trial and error method.
Your website backup does not completely solve the security posture. In most backups, it does not tell you what files and data has changed.
But, when you have backup websites/tables in a revision control, it gives you a nice diff and you can fetch the malware. So, you can easily make out the pristine version. So, restore is no more a guess work.
With File/Table Change mail notification, you can fix your site before going into blacklisting mode. Getting hacked is bad, but getting blacklisted is where the real problem starts.
@bikegremlin
I am giving Free 1GB website backup for site owners. Users can use Backup Sync(free) to sync a copy of git archive to their own cloud(S3/B2).
I try to wear a different hat for auditing and infact have made few additions/changes lately. Perhaps a person with no knowledge on the platform, may help. Down the line, I could get someone(legally) have a go. But my level of trust with other security vendors are low . Its just me.
@jsg
I am trying, but marketing is clearly not my thing. But, I still have to promote and put forth my idea.
These are mostly bugs. How many are security related issues? The most recent exploit found was out of admin interface. With an admin interface, you can do a lot more damage, leaving the exploit. Btw, admin interface is always disabled on live.
Yes, I did file one for Mongodb. I didn't traverse this road and moved away as it was not well supported.
Agreed, OSCP only prooves that I am a learner. May not be the world's best certification.
I am not saying that I am the best website security expert. BountySite will help me get better at this.
I agree that BountySite is indeed a huge huge challenge. Its taken me a lot of time and thought building it. I will continue making it better.
Thank you. I can only put facts flat out. It is upto you to decide.
Ok! This is your perspective.
I disagree.
@joepie91
With BountySite, the security scanners are all coupled with backup. No backup, means no security scanning.
All operations work on the backup, the storage server.
The idea is to make security transparent. A site owner can always detect the malware out, through the platform. So, you know what is the issue. This is a start.
Can you find out why it happened? That is the idea of the investigation.
I enumerate applications and its versions, which helps me assess the possible vulnerability that was being exploited to insert the malware.
Based on the possibilities, I can suggest patch(s) which will be available to all websites on the platform to apply and stay secure from the current attack.
Security vendors do the same, but the solution is mostly off WAF. My proposition is at root level, by patching code.
AVs aren't designed for hosting environments. BountySite is for hosting environments.
Well, if you are a site owner and you get a mail saying that a new file was added or an existing file was modified, you don't need any hueristic or artifical intelligence to say that it is a malware.
Site owner is best security administrator for their own website. Tell me any security vendor who would say this?
I can actually put greater marketing terms like Artifical Intelligence, Machine Learning etc which is actually present/doable in BountySite. But I prefer to keep things simple.
web2py default auth is sufficient, which is well supported an inbuilt and tried/tested for a long time.
AES DES 256 bit encryption on storage.
There is no addition of attack surface by adding storage.
Yes, encryption only prevents from physical access removing the hard drive.
I am more than willing to answer your questions. This will only help BountySite get better. I truly appreciate these questions.
Well, you do understand that there is no concrete security solution.
Instead of calling BountySite security scanner, I would call BountySite a problem solver. BountySite solves website(hosting) security related issues at various levels.
Why name BountySite? My main goal is Bounty hunting 0day vulnerability for web hosting environments. This is just a platform with some automation. This is one herculian task, but I am taking things bit by bit.
So, what various levels?
Level 1 Security
- In most cases, website restore and app update fixes most of infection. Again, which security vendor says this?
- User password resets and cron backdoor checks
- You can investigate what happened to your site, at file/table level
BountySite makes it easy to handle level 1.
Level 2
- Despite doing the above, website still gets infected
- Temporary solution - Dormant Site Protection : A feature that will auto revert changes to a user mentioned version, post backup. This feature can also be used to protect idle websites.
- Security investigation - Investigate why and how it is happening. The real work!
Here is more information that I keyed in lately https://www.webhostingtalk.com/showthread.php?t=1789082
Now, I don't have a prebuilt database of all vulnerability patches. I only address attacks/backed-websites and issue patches. This is all I can do.
One hacked website can protect other websites from the same attack
Works in similar lines of AV vendors updating signatures. The more data you have, the better you get.
BountySite does this without impacting hosting server resources. The backup has minimal resource usage on hosting. First backup is full followed by always incremental based on timestamp, size and perms.
User managed website backups : Managing server website backups can be a pain for providers and it can be offloaded to site owners, who are responsible for their own backups. Also, site owners dont have to wait for hosting provider to do a restore(depending on website backup software).
I could do all this as a big company and take some funding and backing, if that adds trust. But it would take me in a path of just making money. Surely, I do want to make money but it is not the only thing.
I like my freedom and love what I am doing. I think innovation comes with freedom. I have built BountySite trying to solve problems and not wanting to be better than x security vendor. Infact, I dont and cannot compete with anyone. I am just a problem solver.
I don't think I have ever needed to wipe/re-install to permanently clean up of a compromised server. There was a lot of time and effort involved sometimes but I learned a lot. I learned to understand the enemy so to speak. I certainly don't live in fear of hacks or potentially unsafe software anymore. I know most of the tricks they use and do a lot of pre-emptive things now to prevent potential hacks with zero-day exploits. You can only learn how to be good at that by taking the harder route and not just wiping and re-installing.
That's not a reliance, that's being certain. Kill it with fire. You will never be able to say with 100% certainty that you found and removed the infection, therefore it's permanently suspect and unsecured. Your ego that you found and removed 100% of the infection is being counted on for missing hidden backdoors. Don't guess, be certain, especially if it's not just your data. You don't come off as a surgeon, just lazy and willing to take unnecessary risks.
Okay, so what? How is this advantageous? This sounds like a "Facebook, but for dogs"-style marketing pitch to me.
Okay, so... basically all you do is check installed software against a list of versions and known vulnerabilities for those versions?
This is irrelevant. An ineffective detection measure doesn't magically become effective just because it's a hosting environment.
There are many tools for detecting file changes already. This is not novel, nor does it need to be a service.
No, it's not. PBKDF2+SHA512 is very prone to being attacked through ASICs/FPGAs, because it isn't memory-hard, like scrypt and argon2i are. You're in the business of selling a security product; I'd expect you to know this.
The current default suggestion from cryptographers / security specialists for password hashing is argon2i, not PBKDF2.
This is letter soup. "AES DES 256 bit encryption" is not a thing, and DES is certainly not an AES mode. This statement alone makes me immediately skeptical about your competence level where security is concerned, and would be enough to make me recommend against using your services.
What? Of course there is! You're storing a copy of data in a new place, a new environment that can be individually attacked. You've gone from one single-point-of-failure, to two single-points-of-failure, where compromising that data is concerned.
This is marketing fluff. I'm not interested in marketing fluff. None of this tells me clearly what your product actually does, from a technical perspective. How does it work? How do things get 'investigated'? How do compromises get detected if it doesn't match a known signature? How do the "backdoor checks" work? And so on.
I don't expect anyone to take external funding. In fact, I much prefer it when they don't. The problem is that you're over here making grandiose claims, yet showing yourself unable to properly address simple technical and security concerns.
Running something like this by yourself is fine. But then you do actually need to know what you are doing, and I am not at all convinced that that is true here.
You're selling random people a security service here. You're asking them to trust you that you're protecting their stuff. That comes with a responsibility to get it right, and to not overpromise.
Comments like this:
... are therefore extremely worrying to me. A service like this shouldn't be your personal learning environment, and I frankly don't think you're ready to run something like this. Try it out in a more restricted environment first, offering it as a free thing for friends or whatever.
On this one I would be more generous than you, because PBKDF2 is in RSA's PKCS, which many less experiened people understand to be a recommendation from RSA. Also it's technically dimensionally better/more secure than MD5 or SHA1 or even SHA2 (which is the background against which PBKDF must be seen in real life as those are still used by many). And while you are right that PBKDF2 is not a really good solution it's still a very major obstacle for intruders/crackers.
Two points though still remain
There he stated pure BS. And you were even too generous with your response, because not only does he of course add attack surface but way worse he created and runs a highly attractive target because hackers, if successful, gain access not only to one site but to many sites and even at different levels.
And frankly I see no basis to presume that @bountyside even understands that. His first and main wall against intruders is "well, what web2py comes with" ...
And there are many more points. To name one example: one does not use debian (or centos) and certainly not as it comes as an ISO for a secure storage server but one uses slackware or alpine or the like -plus- one creates ones own minimal kernel at the very minimum. Simple reason: code that's not there is code that can't be attacked.
FULL ACK.
Remember Violasoft and Trendfire Security Essentiales? Sounds just like them
@LosPollosHermanos
Yes!
@TimboJones
With BountySite, when you know the changes made to the website you know what has happened and know how to fix.
@joepie91
You asked me how I am different.
This solution of backup coupled with security is effective.
Yes! It is one of the parts of the automation.
Yes, it is. You try to run a website malware against all known AVs. Even try VirusTotal, you will not have a 100% hit.
Which tool is available in the market which notifies site file changes via mail to a site owner and can shows diffs? Ofcourse, no rocket science in it.
Site File Integrity System is an effective way of dealing with website infections.
I reiterate I am only solving a problem.
My apologies, on buff up it is AES CCM, by zfs. I should have checked. Yes, cryptography is not my forte. I rely on zfs and cryptsetup, for storage data encryption.
You mean, moving from hosting environment(SPOF) to another copy of data on storage? The storage is invisible to internet. Storage can be logged in only via a jumpbox with mandatory 2FA https://www.bountysite.com/sshtrail.html
Hence, no other attack surface except via evil FTP server.
Also, storage servers can be kept in a NATed private network.
Ok! I am trying to explain.
I have plans to automate source code analysis to ease finding 0day. Like give me those POST and GET in a summary, and find where the var is used. But that is next phase.
The backdoor checks on files are malware checks. Educating users to check for cron jobs and password resets are part of backdoor checks. Security is not just technology.
Yes! Valid point.
The Bounty model is where you get paid only for successful investigations. Never have I mentioned any guarantees of any sort. If someone wants data reliability and guarantee, use Backup Sync to push an archived copy to their own storage.
I think there are different ways to take these reviews as:-
None of you have used or tried my service fully and have already jumped to conclusions. If you were to really give feedbacks, it would have been what the platform could have to make it better.
All services start with a free trial. I can only answer questions.
@jsg
Yes, why would I change the default auth and break the whole default session management of a framework that has been tried and tested for so long? There is lot more work and testing to these changes, which can shift my focus.
For the likes of hosting environments, I reckon that this is enough.
1000 iterations
Debian install with openssh comes with minimal set of binaries and kernel. Besides, this can also be deployed on any *nix os. I just have the automation ready for Debian install and verification. My next choice would be Arch linux and then look at OpenBSD.
I indeed was looking at OpenBSD, but it does not really add much. May be openbsd can help stack protection.
One suggestion that I can take from this is to run this service along with existing hosting backup services.
Running a free service is definitely part of the plan.
@FlamesRunner
Like I said before I have not looked any other service offering. I have built the platform addressing the problem areas only.
I am being constantly swept down the security vendor lane.
Yes, there are things that I can do and there are things I cannot. Do you really think the big players out there have the best security platform? Atleast, I dare to answer these onslaughts.
Definitely! I need videos out there to show case things.
@bountysite
Wait, is this intended to cover the webroot of a website, or the entire OS? I was thinking your service is just the webroot (for it to be portable to other hosts) but I'm talking about an infected server (OS) needing to be put down and reinstalled. There's thousands of files to track over GB's of data.
But yours isn't the local bakery's website.
That was too low 10 years ago, let alone today. But it still is the default in web2py. I just looked it up ( https://github.com/web2py/web2py/blob/master/gluon/contrib/pbkdf2.py )-
Unfortunately it uses SHA-1 as default hash algo. !WARNING! -> That is very poor! I strongly suggest that you at least have it use SHA-256 (or even better SHA-3, which btw is not considerably slower).
And you also should very considerably increase the iteration value.
No, debian comes with all the usual stuff (e.g. su, sudo) and a kernel that may look small compared to some of the monsters out there but is not minimal, plus debian comes with systemd and its whole apt stuff.
You should try to make sure that each system in your operations has what it needs and only what it needs, both in the kernel and in terms of binaries. If you want both a distro with a good reputation and good security (for a linux) look at alpine which comes with something like apt ("apk").
OpenBSD IMO is clearly better in terms of code quality and security but it has some quirks (e.g. no SMT and often no or only half-cooked SMP) that may make it unattractive for some jobs. Plus being a BSD it's quite a bit different from Linux so you would need to learn a lot.
Should you go with OpenBSD? Some people out there consider anything except OpenBSD inacceptable (in terms of security), others say it's not anymore that much ahead of other OSs. I personally would not urge to use OpenBSD in most cases (although I think highly of OpenBSD). One can have a reasonably secure system based on linux but that requires a lot of effort and attention.
But clearly what you operate with right now is light years away from being even modestly safe and secure.
My advice: Do not argue with @joepie91 but carefully think about what he told you.
My next project should really be a CMS with proper plugin sandboxing.
@TimboJones
Yes, BountySite is only for websites.
@jsg
Ok! thanks
Debian does not come with sudo. You can move unwanted binaries elsewhere. For best community support and stability, Debian is good.
Few years back, I do remember looking at Alpine. I wasn't sure of the community support and its backing.
It seems it is lately gaining traction with docker due to its small footprint. Not having grsec is also a big loss for alpine.
The opinion of restricted environment is nothing but allowing only known FTP server, which is already inbuilt as a feature for partner based setups. I think what you are recommending is to implement partner based setups only.
Ok! Point taken
Another key aspect to note is that the attack will have to come from a signed up user, which would be a hosting customer. Unlikely, but possible!
The thing with BountySite storage is that I can design custom storage nodes depending on customer requirements. I have already spent sometime looking at OpenBSD before. I will revisit this and add as an option to storage solutions. Infact, I am looking at adding bsd based nodes too, as an option.
The best aspect of BountySite is providing users with ample information to fix on their own. BountySite is like a DIY tool for malware removal. BountySite is not a have and forget tool. Since, everything is going into a git revisioning system, I can say that I dont need any level of expertise whatsoever for malware removal part. The expertise is needed only in building intelligent signatures to catch malwares which will only come in live environment. Hence my point. Just being brutally honest here.
Site owner is the best security administrator for their own website. BountySite is like a Site File Integrity System. I initially thought of having site owners report malware on their own, and it would automatically apply/report for other site owners(like "This file has been reported as malware by 100 other users"). But this would mean trusting site owners, which could lead to false positives.
Regarding multi user setup, one way of implementing is with LXC and using custom templates. For every customer(not website), an unprivileged container can be created under a new user(precreated with LXC container[with static ip] running the job with API on port x). An API on host would need mapping as to which user is mapped to which customer, and proxy the API request to the respective container. But this would reduce the number of provisionable backups in a storage node from 20K to 1K. This is something like having a shared hosting to a VPS.
I think I should add as a premium service.
I just noticed that my website is missing "How it works" page. Lost it in website redesign. My bad! It would take a week to just put forth everything. I will mention all possible deployment options with its pros and cons. Sounds fair!
BountySite's main core was ready in Jan 2018, and its being constantly tested. Yes, more and more layers of security should be added constantly. No doubt!
Thank you for the feedbacks and opinions.
Why not do both?
https://www.theregister.co.uk/2018/09/15/alpine_linux_bug/ proves that minimal is not always secure. Honestly! not sure what to make out of the advice.
I gave a good thought about everything and I have decided to go in for a major overhaul.
@LosPollosHermanos
My initial idea "One Threat One Dollar" was to run off a hosting server. The idea was to charge 1$ for every detected vulnerability. Basically, compute hashes(md5, sha256, fuzzyhash) and put everything in db.
All you do, is run a query to detect vulnerable code. For eg search for filename xxx.php with a vulnerable code snippet in fuzzyhash, to detect a vulnerability or search for a sha256 hash of vulnerable code file.
The problem with this concept:-
So, BountySite approach was to:-
Your question is what if a website hack gets elevated to higher privileges and how to detect server level backdoors?
The industry is mostly using CloudLinux to mitigate Cross Site Contamination like attacks, and KernelCare to upgrade kernel without reboot.
This technique would help but wont be enough. The malware could be running off memory and not be present on the file system. There is already a hash database(I think OWASP file hash db) for carryingforensics.
I wont be able to manage server side security like websites. There is lot more.
I want to focus on proactive security patching and vulnerability detection off source code, for websites.
Proactive security patching and vulnerability detection is fine if you truly understand what you are protecting against. The only way to truly understand is dig into it rather than just re-installing or applying patches someone else made.
"Sometimes the correct path is the tortured one."
--a line from Draft Day
@LosPollosHermanos Agree totally!
In most cases, upstream patch is enough or better, notify site owner to perform website update. Only in case of a zero day, a quick fix patch will be offered, which can only be done on fully understanding the vulnerability.