Author Archive

Cross Site Request Forgery (CSRF) – how clever hackers obtain access to your accounts

Written by BWG on . Posted in Security, Vulnerabilities

Most developers these days are well aware of the importance of validating user input. Validating user input prevents a user from injecting malicious code on your web forms. Injecting code into a form on a website is known as Cross Site scripting (XSS) and is different from CSRF. It is unfortunate that a lot of developers these days are not educated enough in security, and though they are successfully validating their input, they forget implement CSRF protections, a critical error that leaves the site vulnerable to attack. We are going to talk about CSRF, what it is, how to prevent it, and what can happen if you don’t.

Take this example: You are logged into your banks website which is vulnerable to CSRF. There are now certain functions you can do as a logged in user that pertain to your account, for instance deleting your account, editing your profile, or changing your password. CSRF will allow an attacker to gain access to your website functions and the things you can do while your logged in. The caveat is that you must have this tab open in your browser for the attack to work.

As a user who is unaware of what evil plot is underway, you click a link an email you got (or browse to a malicious website), and it brings you to a web page as expected. Meanwhile your still logged into your banks website, but have it on a different tab. This evil website then makes a request to your banks website, claiming you want to delete your account. The website has no CSRF protection, and goes ahead and deletes your account. You have no idea what just happened and go about your business.

hacker using csrf

This is a typical CSRF scenario. The bank had no way of telling if you legitimately clicked the delete account button, or if it was a malicious request from a site you were browsing. Since these requests happen in the background, as a user you have no way of seeing these requests happen. Simply browsing the web can lead to your account being compromised!

This could have been prevented if the developer writing the banks software was knowledgeable of CSRF. To prevent CSRF attacks on your website, forms and “state change” action buttons need to contain a token. A token is a unique set of randomly generated numbers and letters. So, say I have a form. The form contains a text area for a password change, asking the user what they would like to change their password to. We also must implement a hidden field (The user will not see this field, but it is sent to the user in the code that makes up the form, so its not truly hidden) and put our unique generated token in it. Now when I submit the new password, the server will expect this token to come back and be the same token that was supplied. If it is not then we can disregard the request as it had no token or it was invalid. This is how you can successfully prevent CSRF attacks.

If your website is vulnerable to both XSS and CSRF, It opens up a whole new world of hacking possibilities as the attacker does not need to trick you to clicking a link, or wait for the rare occasion where the user has the target vulnerable website tab open. By Injecting code on the website itself, the chances of you browsing on that page are a lot higher, and most people will fall victim to these kind of attacks.

To be safe, inputs should not only be validated and stripped of special characters, but also contain a unique token to check against. Doing these two things will thwart a lot of hacking attempts and keep you and your users safe from hackers.


For more information on this or other topics, or if you think you have been directly affected by one of these attacks, please call us at 855.355.SITE today.

Join The Food Cloud today

Written by BWG on . Posted in Hospitality Industry, Restaurants, Search Science, WordPress

It’s almost the weekend, and people are starting to plan out where they are going to eat-in or order take-out. The best way for your restaurant to get noticed is through using The Food Cloud. The Food Cloud provides the platform for your restaurant’s mobile and web solutions. Unlike competitors, The Food Cloud allows restaurants to maintain their brand.

 

The Food Cloud allows your customers to make reservations, and order online through your website. They’ll also be able to conveniently order through your custom app as well. Having an adequate mobile app opens the door for more business. With the increased use of smartphones, customers are mobile now more than ever. Customers intuitively will use the online ordering system provided through your mobile site.

 

A large part of becoming a successful business in any industry, is keeping your customers constantly engaged. If you have not yet taken advantage of or have struggled with email marketing, look no further. The Food Cloud automatically adds your customers to a running email list. This will allow you to master the art of email marketing. You’ll be able to easily send coupons, and set up loyalty programs.

 

You’ll also be sent detailed reports about your day to day business to allow you to plan for the road ahead. Everything will be laid out for you on an eye pleasing and interactive dashboard. You’ll also be able to keep your customers up-to-date with everything.

 

Our client http://bostonkashmir.com located on the renowed Newbury Street in Boston, had immediate success with The Food Cloud. On the first day that it was launched, they saw an increase in business with several orders taking place through the new system. Many of their customers also signed up for the email list.

 

Get The Food Cloud today!.

http://thefoodcloud.com  

And check out our introductory video here:.

Send Email With Your Domain, Using Gmail

Written by BWG on . Posted in Email Support

  You may have a domain, but you don’t have a website built yet, or, your website is in production. If you dont have a one, you can buy a domain from us.   You may want to start using your domain name to send emails from gmail, as opposed to using our hosting email service, such as Roundcube or Squirrel mail. Here is how you do that.   Click the gear icon in the upper right, then select Settings. Select the Accounts and Import tab (or Accounts tab, if you’re using Google Apps). Under Send mail as, click Add another email address. In the ‘Email address’ field, enter your name and alternate email address. Choose one of two options: Use Gmail’s servers to send your mail (this is easier to set up) Use your other email provider’s SMTP servers (we recommend this option for professional mail accounts or domains). Note for Google Apps users: Depending on your domain2 type, this feature may be disabled by default. Talk to your administrator if you have any questions. If you choose to use Gmail’s servers: 6. Click Next Step >> and then click Send Verification. Gmail will send a verification message to your other email address to confirm that you own it. 7. Open your other account and either click the link in the message Gmail sent or enter the confirmation code in the Accounts section of your Gmail settings. If Gmail sends a verification email and you didn’t receive the it, the message was probably caught by a spam or bulk mail filter in your recovery email system. Try checking your Spam or Bulk Mail folders for a message from [email protected] to see if the email ended up in there. Your Gmail address will still be included in your email header’s sender field, to help prevent your mail from being marked as spam. Most email clients don’t display the sender field, though some versions of Microsoft Outlook may display “From [email protected] on behalf of [email protected]” For this reason, if you don’t want ‘on behalf of’ to appear in any of your messages, we recommend using the SMTP servers of your other email provider. If you choose to send mail through another domain’s SMTP servers: 6. Enter the SMTP server (e.g. smtp.domain.com), your username on that domain, and your password for that account. You may also need to adjust your port setting or SSL3 setting (talk to your other ISP4 if you need this information). 7. Click Add account >> 8. Open your other account and either click the link in the message Gmail sent or enter the confirmation code in the Accounts section of your Gmail settings. Your other email provider has to provide authenticated SMTP support for you to use this option. We’ll use TLS5 by default, or SSL if you enable it. Many email services that provide POP6 or IMAP7 support also offer authenticated SMTP support, and you can likely find your SMTP server configuration instructions alongside information about POP or IMAP. Also, this new version of custom ‘From:’ doesn’t work with Yahoo! Mail Plus accounts just yet, but we’ve reached out to Yahoo! to try to get it working.

Setting up Email Account with Thunderbird

Written by BWG on . Posted in Email Support

Sending & Receiving with your new Email Account

Before starting:

  1. Make sure your domain name loads. If it doesn’t load your your email account wont work.
  2. Make sure you have setup your email accounts at yourdomain.com/cpanel .

You are now ready to begin setting up your email accounts.

  1. Open Thunderbird
  2. Go to “Tools” and click on “Accounts Settings
  3. The “Account Settings” window will pop up. Click on “Add Account…
  4. This will start up the Account Wizard. Select Email account then click Next.
  5. Enter your name and your Email address in the input boxes. This does NOT have to be your “[email protected]”( you can use “[email protected], [email protected], etc). Then click Next.
  6. You can select either POP or IMAP both are supported on our servers. If you plan on setting up your mail on many computers use IMAP.
    • POP: Download emails to your local computer and removes the copy from the server.
      • Good for preventing your E-Mail box from becoming slow or full!
      • Allows you to view emails offline.
      • Since the E-mails are downloaded and removed from the server. You can not receive E-mails on other computers you may have.
    • IMAP: Accesses E-mails only if when viewing them, allways keeping a copy on the server.
      • Good for accessing E-mails from many computers: from the office to your home.
      • Requires that you have a Internet connection when viewing E-mails

Also fill in the Incoming Server to mail.yourdomain.com. Then click Next

  1. Now type in your username that you have setup from cpanel using the following format: “[email protected]” Then click Next
  2. Do the same here, put your Email account username. Then click Next
  3. Just click Finish and you’re done!
  4. Now you need to setup a way of sending Email. To do this click on Outgoing Server (SMTP) in Account Settings
  5. Then click Add
  6. Now fill in:
    • Description: Put your Email address
    • Server Name: Type in your mail server, mail.yourdomain.com
    • Port: You can put 25 or 26. If your isp is blocking port 25, which many do to prevent spam, then choose 26.
    • Make sure the checkbox is checked for “Use name and password”
    • User Name: Type in your full email address. Again, make sure you have created this account already in cpanel.
    • Make sure that TLS, if available is selected
    • Finally click OK

Setup And Access Your Webmail

Written by BWG on . Posted in Email Support

Webmail is a great feature offered by Boston Web Group via your cPanel hosting account. You can access email from any PC connected to the Internet. There are two ways to log into webmail supplied with cPanel.

Access webmail through cPanel (Administrator Access Only)
Access webmail via direct link. (For Email Users) (directions below)


Access Webmail via Direct Link

To access the webmail directly, type the following information into the browser.

If the domain name has propagated type:

http://www.yourdomainname.com/webmail

Substitute your primary domain or an addon domain name for yourdomainname.com.

or

http://webmail.yourdomainname.com

Substitute your primary domain name where it says yourdomainname.com in the examples. This method does not work for addon domains.

You can also access it by going through the default webmail port number of 2095 as in the following example.

If the domain has propagated type:

http://www.yourdomainname.com:2095

Once you go to the address above, you will be prompted for your user name and password. Be aware, it is not asking you for your cPanel user name and password. All email account user names look just like the email address.

Please note that the login name and password are case-sensitive, and must appear as they display in your control panel.

In the user name section, type your full e-mail address (example: [email protected]). In the password section, provide the password which you provided when you created the email account. Then hit enter. You are now logged into webmail!

Are you able to receive emails but not send?

If you aren’t able to send email, this usually means one thing… your internet provider is blocking you from using anyone’s outgoing mail servers but their own. Many major internet service providers (ISPs) block outgoing emails to prevent their internet connection from being used for spam. In order to work around this issue, we have opened Port 26. Please change the outgoing mail server (SMTP) from the default Port 25 to Port 26.

If you use Outlook, please be sure to select the option for “Outgoing SMTP Server Requires Authentication”. This is now required for our server security.

What if both Port 25 and Port 26 don’t work?

Some ISPs block both ports, and you will need to follow your ISP’s procedures for sending email. You will typically have one or two choices. Sometimes you may contact your ISP to request that they open port 25, and they will do this for you, although many ISPs have begun declining to do so. Some ISPs may require you to use their SMTP servers for all outgoing mail, so that they can monitor outgoing email on their network in order to prevent spam.

You’ll want to contact your ISP about which SMTP servers you should use for outgoing email. This information is usually posted on a page of their website. If they have a search box on their site, searching for “port 25” will usually lead you to the relevant pages.

You may still send email as being from your domain (i.e. [email protected]); it just needs to be routed through their SMTP servers.

But my mail used to work.

Sometimes ISPs change their policies and start implementing blocks to certain ports without informing their customers (other than perhaps a post on their website). Most ISPs post information about Port 25 on their website if they have implemented a policy of blocking it. If sending mail suddenly stops working, this is probably why.