computer parts

NGINX was developed by Russian engineer Igor Syosev in 2002 in response to the growth in website traffic and broadband internet and the resulting need to manage 10,000 simultaneous connections. His solution is an asynchronous, event-driven architecture renowned for its high-performance and efficiency.

The company has enjoyed rapid growth since then. More than 300 million sites and applications are now on its platform, more than double the number of one year ago, and it has become the engine of choice for the majority of world's 100,000 busiest sites.

It's particularly popular for its scalability and the minimal resources it requires to handle heavy user loads. It can also function as a reverse proxy and as a mail proxy server.

Read next: NGINX moves towards web server dominance with European expansion

Apache was founded in 1995 and became the most used HTTP server the next year, a title it held for almost 20 years. Microsoft surpassed its market shared in July 2014, according to Netcraft, and Apache has been losing ground to its competitors since then. It still powers a total of more than 374 million sites as of February 2017, and has the largest market share of active sites, at 45.8 percent.

The name Apache was long thought to be a pun on the words "A Patchy Server", until one of the creators revealed in 2000 that it was in fact chosen in homage to the aggressive strategy of the Native American tribe.

Apache uses a modular architecture to meet the differing demands of each individual piece of infrastructure. It’s known for its reliability, its impressive range of features and its support for numerous server-side programming languages.

"Lighttpd" is a portmanteau of "light" and "httpd" but pronounced "lighty" to describe its speed, flexibility and stability. The lightweight server is optimised for high-performance speed-critical environments and is ideally suited to servers with a high load.

Jan Kneschke developed the server with the same ambition as that of NGINX founder Igor Syosev: to solve the c10k problem of handling 10,000 concurrent connections on one server. The proof-of-concept design he began to develop while writing his university thesis in 2003 is now one of the most popular web servers available.

Lighttpd has a comparatively low memory footprint, small CPU-load and advanced set of features. It's high-level of integrability provides support for interfaces to external programs and for web applications written in any programming language to be used with the server.

Hiawatha was developed by Hugo Leisink in 2002 while he was a studying __computer science in the Netherlands to support internet servers in the student houses. He wanted to develop a system that addressed the vulnerabilities found in other servers around security limitations and confusing configuration tools.

The server he wrote adds a number of unique security features to all the regular security measures found in other leading web servers. It also uses a readable configuration syntax that can be used without the need for expertise in HTTP or CGI.

Hiawatha’s strengths lie in its ease of installation, impressive security and small size. It’s ideally suited for anyone seeking a lightweight alternative to Apache, who prioritises security usability, speed and performance over advanced features.

Cherokee is the third entry on our list to take its name from a Native American tribe. Red Hat OpenStack R&D Engineering Manager Alvaro Lopez Ortega began working on the server in 2001 with the aim of combining impressive speed and functionality in a modular, lightweight design.

The web server has gained prominence since then as a scalable, high-performance, and user-friendly option with a low memory footprint, and load balancing facilities.

An impressive range of features includes a web-based administration interface called cherokee-admin that supports a straightforward configuration of the server and all its features. Cherokee runs natively on Linux, Mac OS X, BSD and Solaris, but not on Windows.

Monkey HTTP is a lightweight server and development stack that was originally optimised for Linux but is now also compatible with Mac OS X. It was designed for embedded devices, and as a result is highly scalable, with low memory and low CPU consumption.

The project began life in 2001 with few ambitions beyond learning through experimentation but took a turn towards professional applications in 2008 when it was rewritten work in event-driven mode.

The server functions through a hybrid mechanism that provides each thread with the capacity to attend thousands of clients. It offers high-performance under high load in a minuscule size on installation and runtime that is easy to install and ideal for embedded devices.

Apache Tomcat is a Servlet and Java Server Pages container developed under the Apache license that can act as both a standalone server or as an add-on to an existing web server such as Apache.

While the Apache HTTP Server functions as a traditional server for static web pages, Tomcat is primarily designed to deploy Java servlets and JSPs in dynamic websites and is used by Java developers to run web applications.

Tomcat can be used in conjunction with the Apache HTTP server, but it also functions as a capable web server in its own right thanks to its own internal HTTP server.

Zoho Invoice offers a powerful yet easy to use tool designed to create professional invoices, manage automatic payment reminders and create pathways for online payments.

Although Zoho offers a free forever plan, it is far from a 'value' option. Zoho offers a great range of features to suit small but growing organisations that match (if not rival) their more costly counterparts. And if you do find that the free version is lacking in features, it could be worthwhile looking at Zoho Books for an inclusive accounting service.

Feature-wise Zoho Invoice offers invoice templates, email templates, estimates, credit notes, recurring invoices and automated reminders. This is all provides in an easy to use dashboard with a Google Analytics style tab system.

Sadly, Zoho is limited in the amount of third-party integrations it can support. Zoho can support the integration of it's internal software such as Zoho CRM, Zoho Projects, Zoho Docs, and Zoho People, but this might be too limiting for some businesses that require a range of accounting functionality.

QuickBooks offers a whole suite of accounting, invoicing and financial services for small businesses and larger ones.

Every QuickBook subscriber (all 1.5 million of them) has access to a real-time dashboard available on both a desktop and mobile, cloud accounting service, bookkeeping and full financial management.

With QuickBooks, users can estimate tax payments, track deductible mileage, create and send invoices, manage VAT, run payroll, provide multiple currencies and control stock levels.

Fully taking advantage of the collaborative nature of the cloud and its online platform, QuickBooks users access their user portal from any PC and utilise its toolbox of useful features without downloading any files and modify the dashboard to suit your business needs.

For example, users can easily add new customers, items or billed services with ease and create professional invoices from this database.

InvoiceBerry offers a dedicated invoicing service, offering recurring invoices, expense tracking, quotes, totally customisable invoices and multiple currency invoices.

What's more, InvoiceBerry will send reminders for late-payers, add credit notes and even send thank you emails after payment.

Unlike some tools listed, InvoiceBerry is designed solely for small and micro businesses offering a quick and simple dashboard and invoice creator with over 15 invoice templates on offer.

InvoiceBerry does offer a free forever payment tier, however this may be more suited to freelancers as it only includes three clients and two invoice templates. InvoiceBerry offers two other payment platforms, Solo and Pro, with Solo offering 35 clients and 15 invoice templates, while Pro offers unlimited clients and users.

Like QuickBooks, FreshBooks offers a cloud-based accounting suite providing small businesses with reliable invoicing software that can monitor tracking, payments and provide detailed financial reports over a user-friendly online dashboard.

Like with all cloud-based services, multi-device login is extremely easy, all you need is your login information. What's more, the data stored with Freshbooks is backed-up regularly, and automatically, making low maintenance invoicing possible.

What's good about Freshbooks is that all four pricing structures offer unlimited invoices, expenses, time tracking, PayPal, MailChimp and Basecamp integration (to name a few), credit card payments and totally customisable invoice templates.

Invoice2go offers a cloud-based Android, iOS and web invoicing application ideal for most small businesses. Compared to others listed Invoice2go is definitely more simplistic, and this is definitely not a bad thing. Invoice2go provides its users with around 40 fonts, 20 colour schemes and 50 background images, delivering total customisation.

What's more, this invoicing app's dashboard clearly displays which accounts are overdue, company sales, payments and profits. So, while it offers only one simple service - invoicing - this platform does it well. However, for those looking for more features such as online payments, credit notes and a myriad of third-party integrations, this platform won't be for you.

One thing worth noting, is that Invoice2go does not send out automatic overdue notifications which mean manual push notifications will be required. While not a problem for some, for those with high levels of invoicing, this could become a big task pretty quickly.

SliQ Tools provides a totally customisable experience for businesses and their invoicing needs. So this online invoicing tool will store customer, product and services data while providing absolute control over the aesthetics and brand customisation of invoices and business quotes. 

Businesses opting for SliQ Tools will be able to set up recurring transactions and invoices, add personalised delivery notes for customers, attach the invoice as a PDF and save it for later to be printed, exported or emailed.

Sadly, SliQ Tools does lack the sleek, simple design and user experience that others listed have to offer. SliQ users will have to enter email server, port and login details to use Gmail and other web-based email clients which can make the user experience feel a bit clunky.

However, for businesses wanting maximum creative control, this is a good choice for standalone billing and invoicing desktop software.

Like SliQ Tools, Express Invoice's user interface does look a little dated compared to the simplistic design of QuickBooks, Freshbooks and InvoiceBerry. However, for simply creating invoices and managing bills, Express Invoice is still a good option for small businesses.

Express Invoice users will be able to manage customers, create quotes, send invoices and process payments, while also provide good customisation. Users will be able to choose from 12 different invoice templates and then customise them. What's more, users will be able to set invoices to recur, print, save it and email it.

Express Invoice definitely takes an 'old school' approach to invoicing and while, in terms of features this is definitely noticeable, users will still receive a solid piece of invoicing software that can sync between PCs, smartphones, tablets via the Express Invoice app, which is pretty handy.

Invoice Home offers an invoicing platform that lets its users create, send and download invoices with free and unlimited plans available, ideal for small businesses and startups.

Invoice Home users will have access to its template library (containing over 100 different invoice styles), auto numbering, custom branding, online payments (for example, PayPal) and access to over 150 different currencies.

The usability of Invoice Home is one of its best features, as it provides simple step by step instructions and a range of different types of invoices (all based on a set template structure) including tax invoices, proforma invoices, receipts, sales receipts, quotes, estimates, credit memos, credit notes and purchase orders.

Perhaps considered a more traditional piece of invoicing software, kBilling offers a lot of good features including recurring bills, unlimited customers, customer and product databases, password protection and free technical support. However, it does run a dated user interface, which is sometimes clunky.

Interestingly, kBilling does provide credit card support from within the software while most of the others listed offer third-party payment support.

kBilling offers lots of different invoice templates and some customisation, but if you're wanting extensive customisation you might want to choose another company. And while the software may be a little trickier to navigate, kBilling does offer a good invoicing service that shouldn't be left out of the list when choosing which firm to go with.

White hat security researchers at MalwareMustDie discovered a new trojan that played on the ELF file execution format found in Unix. They discovered that the binary was called “mirai.*”, and its main functionality was sending out telnet attacks to other systems. MalwareMustDie warned at the time that ELF Linux/Mirai had an extremely low detection ratio, including in x86 architecture. “The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR, or WebIP Camera,” they wrote. 

In short, Mirai searches the internet for devices that are easy to compromise and brute-forces its way in using a list of simple passwords. It then hunts for more vulnerable devices via the Telnet remote network protocol, creating an enormous self-replicating network that can be pointed at websites or services.

Independent security researcher Brian Krebs had a DDoS pointed at his website in September, running at an astonishing 620 Gigabits per second. The company that protects his website, Akamai, noted that the attack appeared to “have been launched almost exclusively by a very large botnet of hacked devices”.

“Someone has a botnet with capabilities we haven’t seen before,” Akamai’s Martin McKeay said. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks, they were everywhere.”

The CTO of French cloud and web hosting company OVH, Octave Klaba, reported a huge DDoS attack on several of its customer’s websites. Klaba noted that the attacks came from 145,607 separate devices, sending a DDoS at OVH at more than 1.5 Terabytes per second. They were largely from WebIP cameras, but OVH also noticed traffic from routers, NAS boxes, DVRs and Raspberry Pis.

“What all these connected devices have in common is the existence of security vulnerabilities caused by a flawed software design or gross negligence on the part of their manufacturers,” OVH wrote in a blog post.

Someone called Anna-senpai said on the Hackforums message board that the scope of the Krebs attack had caused ISPs to “clean up their act” – and that the “max pull is about 300k bots, and dropping.” So the user made the code open source, free for all to access.

Colorado-based Level 3 Communications examined the command and control (C2) server that communicates with compromised IoT devices and estimated that these rose from 213,000 to at least 493,000 since the source code was made public.

“We have been able to identify bots via communications with the C2,” Level 3 wrote. “Once new bots are identified, their common communications lead to new C2s, which then lead to more bots.”

Dyn, a core internet services provider for Twitter, Spotify, Reddit and other popular websites, was hit with an enormous DDoS attack on its DNS infrastructure on the east coast of America. The DDoS caused the sites to slow down or stop working entirely.

An updated type of Mirai running code that exploits security holes in routers by OEM manufacturers Zyxel and Speedport brought down web access for almost a million Deutsche Telekom customers for two days.

Researchers at ICS SANS said: “For the last couple days, attacks against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This may have already caused severe issues for German ISP Deutsche Telekom and may affect others as well. For Deutsche Telekom, Speedport routers appeared to be the main issue.”

Two hackers calling themselves BestBuy and Popopret began advertising that their Mirai botnet of 400,000 bots was up for rent. BestBuy told a journalist for Motherboard that the two of them were behind the Deutsche Telekom outage and apologised. “It was not our intention,” BestBuy said.

Buyers could rent 20,000 compromised nodes for $2,000 to launch hour-long attacks across two weeks. For $20,000, customers could make full use of 600,000 bots capable of reaching traffic of 700 Gbps.

Mirai DDoS took much of Liberia’s websites offline throughout a week in November. Security researcher Kevin Beaumont wrote at the time: “Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access.

"From monitoring we can see websites hosted in the country going offline during the attacks – additionally a source in the country at a telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack.

"The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

British ISP TalkTalk reported that customers using its Dlink DSL-3780 router had been targeted by Mirai. Post Office Telecom, meanwhile, said that it had also been targeted by a suspected Mirai attack that left customers without access to broadband.

The security researcher whose own site was first famously attacked by Mirai, Brian Krebs, put in “hundreds of hours of research” – ultimately claiming that there were enough similarities between ‘Anna-Senpai’ to the owner of a DDoS mitigation company called ProTraf Solutions, Paras Jha. 

Kaspersky Lab researchers found that a Chinese-speaking hacker had created a version of Mirai based on the Windows operating system. The company pointed out that its ability to spread across operating systems was limited: “It can only deliver the Mirai bots from an infected Windows host to a vulnerable Linux IoT device if it is able to successfully brute-force a remote telnet connection.”

But it was a signal that the Mirai threat will evolve in new and unexpected ways, the researchers said, for some time to come.

The bot was coded and compiled on a Chinese system, Kaspersky added, and signed with stolen code-signing certificates from Xi’an JingTech electronic Technology and Partner Tech (Shanghai), a pair of silicon and wafer manufacturers.

The National Crime Agency arrested a 29-year-old man at Luton airport under suspicion of being the perpetrator of the Deutsche Telekom Mirai attack. Germany’s federal criminal police force is seeking extradition, who are treating the crime as a threat to the country’s wider infrastructure.

“Comprehensive security guidelines and industrial standards for IoT manufacturers would help,” says Alex Mathews, lead security evangelist for Positive Technologies.

There has been progress on this, and Mathews points to the Industrial Internet Security Framework published last September – a collaborative project between players including Intel, AT&T, Hitachi, Fujitsu, Kaspersky, and many more – as a solid start.

There are other papers out there on the matter, including a 2016 whitepaper from the US’ Department for Homeland Security called Strategic Principles for Securing the Internet of Things. It warns: “Many of the vulnerabilities in IoT could be mitigated through recognised security best practices, but too many products today do not incorporate even basic security measures.” Click through for a more comprehensive rundown on advice from the US government (PDF). 

Although budget constraints could make it tempting to opt for a newer business that promises the world or less well-known player at cheaper cost, keeping your network of devices updated is critical to security – so if your supplier suddenly isn’t around anymore your organisation becomes exposed.

“Make sure it’s a well-known and reliable supplier that’s likely to be around for the long-term,” says R&D director at Rocket Software, George Smyth. “IoT devices need to be updated regularly when a new security flaw is discovered. If you bought from a company that has gone bust, you’ll end up with a device that’s basically useless. You need to buy from a manufacturer that will be around for years to come, so they can provide patches and fixes to any bugs that may arise.”

In the wake of the Mirai botnet attack, Michael Marriott, research analyst at Digital Shadows, had this to say: “Don’t be part of the problem. Secure your own devices and don’t use default or generic passwords – and consider disabling all remote access to devices and perform administrative tasks internally. Instead of via Telnet, FTP and HTTP, use SSH, SFTP and HTTPS.asdf.”

“To address DNS reflection, disable recursion on authoritative name servers and limit recursion to authorised clients,” he says. “To address NTP reflection, update ntpd to the latest version and disable the monitor function for legacy ntpd versions.”

Click through for Digital Shadows’ Mirai and the Future whitepaper here (PDF). 

It goes without saying that the internet is integral to the internet of things – but it’s easy to lose track of exactly what that means. The IoT search engine Shodan allows anyone in the world to browse thousands of internet-connected devices. 

Each and every connected device needs to be considered a potential access point for malicious actors.

“Businesses should place all IoT on its own VLAN, and that VLAN should not have routable access to the internal enterprise business network,” says research lead at Rapid7, Deral Heiland. “The VLAN should also not be directly accessible from the internet, and egress firewall filters on that VLAN should be configured to only allow IoT devices to connect to specific cloud IP addresses, as needed for cloud API communication.”

“This method will reduce the risk and impact to an organisation by reducing the exposure footprint. If there is a compromise, it should help isolate it outside the business network environment.”

And Verizon’s Data Breach Digest (PDF) recommends that IoT systems should be air-gapped from critical networks wherever possible.

The recent MongoDB database ransomware was largely thought to have occurred in test environments – but not always test environments – where default or weak passwords were used. So it should go without saying that these should be changed. Again, basic security practice should be applied to the IoT network.

See also: The MongoDB ransomware attacks - what your business needs to know

“Only large, complex passwords should be used,” says Rapid7’s Deral Heiland. “This password should not contain any dictionary word or any part of the organisation’s name. It’s also important these passwords be unique across the IoT technology, because this will help avoid the compromise of all devices within an organisation if one device is compromised.”

“And if the IoT technology utilises its own wireless access point, it is critical that it be configured with the highest level of security possible – often this is WPA2 with AES256. The WPA2 Pre Shared Key should also be changed from default and a complex PSK should be utilised, this shouldn’t contain any dictionary words or any part of the organisation’s name.”

Businesses taking advantage of IoT are increasing the range of the scale of their full infrastructure and by doing so create more potentially weak points in the chain.

“Organisations must look at the full IoT infrastructure from end-to-end and secure all points,” says Winston Bond, EMEA technical director for Arxan. “A typical IoT framework consists of edge devices like sensors, adapters and beacons, as well as a gateway to communicate with these devices, and a back-end server in the cloud or on-premises.”

“Companies need to take each section separately and start addressing security issues for each,” he says. “From protecting the endpoints to hardening the binary code on the apps.”

As with many nascent technologies, manufacturers don’t necessarily consider the full security risks when they rush to build and release their products.

That’s no exception for the internet of things, and although some will be more secure than others, it’s best not to trust the manufacturers to have baked in security from the beginning.

“IoT devices are hard to protect and most were not made with any consideration to security,” says Peter Nguyen, Director of Technical Services at LightCyber. “They are built for easy connectivity to share information or receive instructions. Many lack robust access control or the ability to use secure, changeable passwords – it’s unlikely that effective endpoint protection software can run on such devices.”

Rob Miller, head of operational technology at MWR InfoSecurity, believes that Manufacturers need to wake up to the fact it will also benefit them to design products with the latest attacks in mind, plus remote updating by default.

“There are no golden badges to look for when assessing a product’s security features, so instead many consumers and businesses choose to buy from manufacturers that can demonstrate their interest in security,” Miller says. “This might be in a warranty that includes security updates, or activity in the security community such as having a bug bounty programme.”