vCMS Visual Content management system

Open-Source Drupal Turns Pro

viencanh — Tue, 16 Jun 2009 06:21:02 +0000

Support from developers is often problematic, and you need to find products with a large enough following so that programmers have an incentive to build add-on modules. When the Test Center reviewed open source CMSes (content management systems), these two factors often broke the tie between otherwise robust solutions and gave Alfresco the advantage.(For InfoWorld’s comparative review of Drupal, DotNetNuke, Plone, Joomla, and Alfresco Community Edition, see “Open source CMSes prove well worth the price.” For the Test Center’s top picks of free and open source software for business, IT, and personal productivity, see “Best of Open Source Software Awards 2008.”)

Yet if you take support out of the equation, Drupal emerges as the better solution for many enterprise Web projects. That’s because this social publishing solution starts with a mature Web CMS, adds a blog system, and then offers discussion forms, community features, and extensibility through 1,800 add-on modules — many of them also open source. Given this flexibility, it’s not surprising that Drupal powers about 250,000 live sites — including big names such as Federal Express, The Onion, and Popular Science.

But big organization or small, there’s a dark side to Drupal: You’ll probably need the services of an experienced support staff or a costly consultancy that has mastered a complex setup and knows how to assemble all the building blocks into a workable system. Now, for those with limited resources, Acquia is stepping in with a commercially supported Drupal distribution along with a network that delivers patches and security updates.

Laying Web Tracks

I looked at Acquia Drupal 1.0, which includes the Drupal 6.4 core distribution, network modules for communicating with the Acquia Network, and the Acquia Network itself. The last item complements an easy deployment experience with support, online documentation, and performance monitoring.

The process starts when you sign up for an account at Acquia’s Web site and download its hardened Drupal distribution. You’ll still need to have hardware already set up with PHP, MySQL (or PostgreSQL), and a Web server, such as Apache. Don’t underestimate the work to get this running — especially in a large production setting. It took me about a day to set up and troubleshoot this stack on my Windows Server 2003 server.

However, when you get to loading Drupal, things get much easier. Acquia’s engineers have created the necessary customized settings files and configured a suite of contributed add-on modules. After just 30 minutes, I had a running Acquia Drupal site with blogs, forums, social networks (people could publish their profiles), articles, mashups, and Web content management.

Another big timesaver is Acquia’s set of pre-integrated add-on modules. Acquia looked at some 1,800 modules available for Drupal — then selected, fully tested, and integrated the essential ones you’d need for building a modern Web site.

Without detailing every add-in, I think Acquia made very good choices. For example, Content Construction Kit (CCK) lets me create custom content types using a simple wizard. Image creates picture galleries for your sites. Mollom protects sites from spam. And the VotingAPI gives developers a standard way to let users vote for and rate Drupal content. To add any of these modules to your site, you simply select them from Acquia Drupal’s administration menu, which renders drop-down choices at the top of the browser for controlling the site.

So without having to play around installing and configuring any extra modules, I went right to the content section of Acquia Drupal’s admin menu. After part of another day, I came away with a polished site that had a custom look, populated articles, a blog, video, discussion forums, and a tag cloud. Based on my earlier test of the community Drupal download, Acquia saved me at least a day of work integrating and preconfiguring the various components.

Taking the Long View

While deploying a major site quickly is a big accomplishment, keeping the site running, day in and day out, is much more important. The standard Drupal core already has decent management, accessed from a page available to administrators. But several Acquia network modules, installed during setup, take administration a few steps further. These enable your Acquia Drupal installation to communicate securely with the Acquia Network and exchange configuration, operation, and profile information.

In particular, Acquia Heartbeat monitors your site’s uptime and sends an alert when unexpected outages occur. Other network services promise to be just as valuable, though I didn’t have Acquia Drupal running long enough to fully test them. Code Modification Detection, for instance, automatically senses if you change code that would make future updates difficult or that introduce security holes.

Status of all network services is available from the Acquia Drupal portal, which I found easy to navigate and to use. As an example, the main page alerted me to software updates based on my system profile. I also got a lot of mileage out of Site Usage Statistics, which provides an at-a-glance view of user activity, including newly created content and comments; this is updated daily.

In addition, from the portal, I set up Remote Cron so that Acquia would periodically perform self-maintenance tasks, including caching operations.

A big part of what you’re paying for with Acquia Drupal is support; the portal offers a simple way to log support incidents and track your tickets. Depending on your purchase level, Acquia’s guaranteed response time can vary from a few hours to the next day. During my testing, Acquia did meet the specified response deadline — and resolved my questions satisfactorily.

There’s also a subscriber forum and documentation. Again, the service was fairly new during my tests, so these areas weren’t deeply populated. Still, in scanning the posts from other users, Acquia staff did seem responsive and offered solutions to users’ questions.

Time Will Tell

Although Acquia Drupal was too new to completely evaluate some of the support options (such as discussion forums), the technical underpinnings of this service were solid. Setup and remote management of my Drupal Web site proved to be simple and uneventful. The Ticket Management system worked well. What’s more, I believe there are enough subscription levels and support methods (including by phone) for managing production Web sites of many sizes.

As a first version, Acquia has more work to do, too, which company representatives acknowledged. In a briefing, they indicated the staff is looking to integrate more modules, provide better documentation, have simpler deployments (cloud packaging and redistribution through shared hosts), and include more analytics.

Based on a week of testing, I can’t offer a meaningful assessment of Acquia’s technical support services, nor can I determine whether Acquia will live up to its promise to provide timely updates to Drupal that don’t break things. I can say that Acquia makes the deployment of Drupal considerably easier and adds valuable management tools. If the support network follows suit, Acquia Drupal will be a tempting option for organizations that lack the time or staff to deal with the patchwork of a raw Drupal environment.

How to Not Get Hacked Like Sony

viencanh — Tue, 16 Jun 2009 06:06:33 +0000

Sophos PLC reported that Sony had suffered an SQL injection attack last week. Malicious code was planted on pages of two popular Playstation games — SingStar Pop and God of War.

The digital security company alerted Sony to the problem, and it was fixed within 24 hours, says Graham Cluley, senior technology consultant with Sophos headquartered in Abingdon, U.K.

While the Playstation site is now clean, hundreds of other Web sites have been compromised by the same attack, he says. Affected sites are wide ranging, says Cluley, “from Brazilian and Chinese government sites to a garden pond supplier in Canada.”

The SQL injection attack is an old hacker trick that has found new life.

Its usage in recent months has soared, as cyber criminals use automated programs to scour the Web for pages and sites vulnerable to such exploits.

The attacks have transformed thousands of credible business Web pages on sites such as MSNBC into malware-peddling portals.

Attacks have ballooned in recent months. There is now a new malware-infected Web page every five seconds, according to Sophos. That’s three times the rate of infection compared to last year. Eight out of 10 Web sites suffering from the attack are legitimate business Web sites.

“There’s been a spate of attacks being called by a botnet named Asprox,” Cluley says. “It’s using innocent people’s computers to go on the Web and find vulnerable targets.”

An automated attack is to blame for the Sony hack, he adds. It wasn’t launched by a person, but an automated program that stumbled upon the code vulnerability on the Playstation pages and took advantage.

The attacks don’t exploit a specific software vulnerability, but take advantage of poor coding practices, according to a Microsoft Security Advisory. Companies that access and manipulate data in a relational database such as SQL Server from a Web site are at risk.

It comes down to a problem with a Web application, says Brian Bourne, president of Toronto-based security analyst firm CMS Consulting Inc. Developers are failing to do proper code checking to prevent the attacks.

“They’re not doing input validation,” he explains. “They’re not looking at it and saying ‘hey, this is not regular user input’ — that’s the simple version.”

But Web administrators have to shoulder the burden of blame too, Bourne adds. They’re responsible for creating a layered security approach to protect against known and yet-to-be-discovered exploits.

The fake scan that surfers saw when exposed to the hack, graphic courtesy of Sophos.

The most common variety of the hack is a direct insertion of code into a place where a user inputs information. That gives hackers an opportunity to inject SQL commands that are executed blindly by the server.

Video game fans surfing on the Playstation Web site were subjected to a pop-up window that displayed a fake virus scan running, followed by a message their computer was ridden with viruses and Trojans. Then the surfer is offered a fake anti-virus software package for a fee.

Hackers could alter the malicious payload to be even worse, according to Sophos. The attacks are often used to collect personal information in identity theft scams, or to recruit more computers onto a botnet.

SQL injection is an “extremely effective” method of attack that can be easily hidden in the nooks and crannies of Web code, Cluley says. The problem lies with a lack of rigorous checking of code by the administrators affected.

“If they’re not doing proper checking, hackers can start to embed and inject code into their database,” the consultant explains. “[The database] ends up peppered with small pieces of code calling up third-party Web sites.”

Such attacks have become so pervasive that Microsoft responded to the SQL Server user community last week with two free tools and a security advisory to help Web admins safeguard against SQL injection.

Here are the tools and tips passed on by Microsoft and Bourne:

Detect: Hewlett Packard has developed a free scan that can identify whether a Web site is susceptible to SQL injection attacks. HP Scrawlr can be downloaded at the HP Security Center.

Test: Toronto-based company Security Compass has a suite of plug-in tools that can be used with the Firefox browser. Web developers have the convenience of looking for SQL injection vulnerabilities with the click of a button. Download SQL Inject-Me.

Defend:Scrutinize more carefully the HTTP requests being made by SQL commands on a Web site. A Microsoft security tool will allow you to put restrictions on what the Internet Information Services will process from the server. It could block harmful requests from ever getting to the Web application. Download URLScan Tool 3.0 Beta.

Identify: For those using ASP code on their Web sites, another Microsoft tool can analyze the code and then output a display of the areas that are vulnerable to SQL injection. The tool also comes with documentation that actually tells users how to fix the different problems that could be found in the code analyzed. Download the Microsoft Source Code Analyzer for SQL Injection at Microsoft Knowledge Base Article 954476.

Fixing the actual root of the problem is important, Cluley says. A Web site that simply removes the injected code but doesn’t patch up the exploit will find the code is re-inserted in short order by automated botnets.

It’s not clear what steps Sony has taken with its Web site at this time. “We haven’t heard directly back from their Web team,” the Sophos consultant says.

ITBusiness.ca attempted to contact Sony, but did not receive a response.