HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS. ocPortal 9 is superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Beta-countdown: May 6th - Comments

Login / Search

 [ Join | More ]

Beta-countdown: May 6th

Posted 06 May 2006, 10:30 AM

If there's anything that can ruin a good evening it's having some punk hacker come along to destroy your website ;). I don't mean to imply ocPortal can be hacked 'just like that', but like every non-trivial Internet-interfacing application, there are bound to be unforseen issues that enough people with enough computers and enough time on their hands could find. I'll avoid comparing this to monkeys and typewriters, because you can't fight hackers by insulting them - understanding is the key, and a lot of them are very bright.

We go to great lengths to keep ocPortal secure, on many levels, including:

  • having a security strategy
  • having our own automated checking tools
  • having an architecture within ocPortal for secure programming
  • having constant scanning as ocPortal is used
Nobody else, as far as we know, comes close to having such a combination of measures and such dedicated technology. Many of our competitors actually fail on the most basic level - either not actually knowing how the common vulnerabilities work, or perhaps, just not caring. For example, for one client of ours I needed to integrate an extremely popular link system, WSNlinks, into ocPortal - WSNlinks was so insecure that I had a hack that could easily be used to take out an entire website domain worked out in five minutes - and I certainly wasn't looking for it or analysing the code particularly deeply! Anyway, I hope that little aside convinced you that I care and know about this stuff (not that I'm a hacker myself) ;).

To further improve security in version 3, we have added new features to tackle three widespread problems (in general: we haven't actually spotted these being used against ocPortal yet):
  • DOS (denial of service) attacks. The nature of these is a lot simpler than they sound - essentially the computer which is responsible for operating your website is attacked by large quantities of requests per second from a hacker, and your computer then spends all of it's resources in an attempt to fulfill each one. Many DOS attacks end in the victim's computer becoming completely unresponsive, or simply crashing.
  • 'Rooting' a server. This involves hacking the web server account and leaving a 'backdoor'. 'Rooting' is either done from some direction that ocPortal cannot monitor (such as via another web application), or done via a yet unknown vulnerability in ocPortal.
  • Hacking a server by trial-and-error, but not getting caught and banished before damage is done (if for example, a user goes on holiday and hence cannot act on hack-attack e-mails)

DOS attacks are detected automatically, with attacking IP addresses automatically banned at a low-level such that they can not tie up further resources in any measurable way.

If numerous hack attack messages come from a single computer, the computer is automatically banned.

There is a special script that will help detect if ocPortal PHP files or critical/sensitive database settings are changed, by off-server comparison of data.

None of these methods are foolproof, but they do significantly raise the bar security-wise, reducing the chance that any particular hacker will be able to compromise your website.

Read more

There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: