You want to get your information, product or news out there to anyone and everyone who wants to see it. So you set up an Internet based website, and everyone can now reach it. The only problem is "everyone" includes a few folks with malicious intent. This article is intended to give you some information about who hackers are, what they want, and what are some of the common ways to protect yourself. We also digress a little into a discussion on identity theft... this is relevant because many folks unnecessarily include personal information on their websites which may not be the best idea.
Hackers, who and why:
In general, hackers come in two flavors: pranksters and criminals
-
pranksters: It started with pranksters... people finding a way into a website and then changing text on the main page to let site visitors know the site had been hacked. You might envision a pimple faced 17 year old boy who spends 4 hours hacking into your site just to leave "kilroy was here" on the main page. But if you've been defaced by hacker, odds are he did it in seconds using an automated script that would impress many highly paid developers. There is an entire underground of pranksters who operate from Internet Service Providers located in countries where there are far fewer controls, enforcement and penalties on this type of activity. These guys are talented programmers who have compiled extensive lists of known and common security holes and exploits and have built scripts which probe your entire site looking for these known exploits. These scripts report back to them which exploits were found, then they execute other scripts targeted at that exploit. Further, these pranksters have their code report back to scoring websites that actually list and rank how many sites they've defaced this week, month, year, etc... It's a giant competition, and the loser is you.
-
criminals: the pranksters are one thing... but the criminal world realized they could use prankster techniques to get information contained within a site, and then use that information for profit. With a prankster, you knew he was there, because he defaced your page. A criminal doesn't want you to ever know he was there, so they are much more dangerous. There are small time crooks that are after small pieces of information for purposes like identity theft, and then there are larger crooks that are after credit card numbers which they can sell on black marker/underground websites (hosted in Amsterdam, China, Russia...), and then there are the big time crooks, who (lucky for you and me) focus on big targets like major banks (after all, why try to steal 100 credit card numbers from a small business, when you can still 300,000 from a bank). Over the past 3-5 years there have been many major banking institutions that have released they were victims of this type of activity, and had hundreds of thousands of credit card numbers compromised. These are major financial institutions which have dedicated security and development staff and significant budgets for information security... and they are still getting hacked. Keep this in mind - you can not do too much to secure information contained within your site.
Things you can do to protect your site, your customers and yourself:
In general, when we see a customer's website has been compromised, it's almost always one of a few things which we'll cover here. Conduct a security review of your site by checking your site for these common security missteps:
-
Never use email account "info@yourdomain.com: This is the single most brute force attacked email account on any domain. Every hacker assumes a company will have an "info@theirdomain.com" email address, and so they make brute force password cracking attempts to stop them. How do you defeat them? Make your info@ email adderss something else, anything else... even "information@yourdomain.com", but preferably something more unique.
-
Unrestricted file upload: This is the single most common method we've found hackers use to compromise people's websites. Website developers put a file upload function in their website because they want visitors to be able to upload something (music file, pictures, etc), but they don't lock down the type of files that can be uploaded. So hackers upload a script (php, asp, aspx)... once it's there, they can execute it under your site's security id, by simply hitting the URL (like http://yourdomain.com/uploadfiles/hackerfile.asp). Once that script is there, they have complete and unrestricted access to your site and files.. why? Because they can execute a script on your site which contains their code, but runs under your id. They can read, delete, and modify files - they can do whatever they want to your site. To stop this, make sure your file upload function restricts the types of files that can be uploaded. We have ASPSmartUpload installed on our servers and sample code at ASPSmartUpload Sample Code. Note that this component (and the sample code) limit the file extensions that can be uploaded. For instance, if you want folks to upload pictures, restrict the upload file types to: bmp, jpg, gif (etc). Do not ever let someone have the ability to upload script/executable code.
-
3rd party software packages: "3rd party" meaning, someone else developed it... 3rd party software is great... quite often you can find free or low cost solutions that do exactly what you were looking for, and you don't have to write a single line of code, you just install the ready-to-run package. This is great for things like forums, blogs, shopping carts... These are great solutions which can save you a lot of time developing your site, and get you up and running quick with a professional looking solution with minimal effort on your part. There are however, two problems in general with 3rd party solutions:
-
common code means common hacks: If a hacker finds a flaw in ABC's Forum v1.0 package, and can exploit that flaw to hack a site using this package... then he not only has access to the first site he finds with ABC's Forum v1.0, but he has access to EVERY site running that forum software. So he quickly starts probing sites across the internet looking for sites running this same solution. So using these packages means you've got hackers focused on finding their exploits, because there is some "economy of scale" once an exploit is found. To help protect yourself, sign up for the package's "update newsletters" to be sure you're getting notified of any updates/fixes/patches that are released, and apply these in a timely fashion to your website. If you can get ABC's Forum v1.1 applied quickly, you reduce that amount of time your site is online with the exploit/flaw that it hosted with ABC's Forum v1.0. Check for and apply updates quickly for 3rd party applications.
-
open source means x-ray vision: Imaging playing poker with a hacker and he can see your cards but you can't see his. How do you expect to win? This is the concept behind what I mean by "open source means x-ray vision". Many of these low or no cost 3rd party packages are open source and community supported. And while this does have it's advantages, it also means that hackers have access to the exact code running on your site when you use these packages... it means they are able to review it in detail and find where there might be exploits, flaws, holes in security. When you use a non-open source solution, you will typically find that the product is encrypted, and the source code is not available to you or to hackers. While this removes your ability to modify the code yourself, it also removes a hacker's x-ray view into your site code and it's possible exploits. Be aware of this as you use open source code, and as noted before, the best protection is to check for and apply updates quickly for these 3rd party open source applications.
-
Session variables vs QueryString: Depending on the scripting technology you're using, you'll have various methods of passing data and variables from one page to another. In general, you can do this via a querystring or session variable. The querystring solution passes the variable in the URL (www.yourdomain.com/somefile.asp?somevar=X) where a session variable passes it within memory space on the webserver. It should be obvious that the querystring lets a visitor see the variable name and value, and session variable doesn't. In many cases, seeing the variable and value can give a hacker insight into your site code and provide method to directly submit any variables he'd like. Consider this example:
www.yourdomain..com/customers.asp?sql=select NAME from CustomerDatabase where NAME = john (note, it would acutally show up differently slightly in your URL, but this is for illustration purposes).
When a hacker sees this, he will immediately start trying to hit your sites with things like:
www.yourdomain.com/customers.asp?sql=select CREDIT CARDS from CustomerDatabase where NAME like %.
If you use Session variables, visitors don't get any insight as to how your code works, and they are not able to inject their own parameters into your code. Use session variables and educate yourself about SQL injection. SQL injection are similar techniques to the example here used to modify your SQL queries by appending info onto a URL with query string... there are many articles on the internet which review this vulnerability and discuss how to protect from it. (see our article on SQL Injection)
-
Know what information you have and secure it: review your site top to bottom and make sure you realize what information is valuable..
-
what information do you have on your site or in databases associated with your site?
-
Are you storing financial information about your company? Should you be storing that on a server open to the public or should you put it in a server that is "in-house" only?
-
Are you storing personal information about your customers? Are you using SSL on the pages where you gather that information?
-
Are you storing credit card numbers? Don't if you can avoid it. Use 3rd party credit card processing services to offload the liability and management of this. Or, if you need to store credit card numbers, make sure you are encrypting them, and are following other Payment Card Industry PCI compliance standards.
-
Check your logs: banks and other large institutions utilize IDS (intrusion detection systems) to probe through their website log files looking for signs of someone probing or exploiting a known issue. These systems can be quite expensive, but you can do a "poor-man's" IDS yourself by simply reviewing your website log files. If someone is probing you, you'll typically see it relatively easily in the log file, because you see a long string of hits from one source, and they typically request many files that aren't even there (they're trying to see what's there and what's not). Look at what they are looking/probing for, and look at what types of requests they are making.... is there anything there you should be concerned about? Things to look for:
-
1=1 If you see 1=1 it typically means someone is trying a SQL injection... i.e., there trying to run a SQL command that says "return all records where 1=1"... since 1 always equals 1, it will return all records. There are many other techniques like this... if you have a database with sensitive information in it, you need to be knowledgeable in SQL injection techniques, and you need to specifically write your code to protect against it.
-
HTTP ERROR 404 - File Not Found: Typically, hackers first start by probing your site looking for any of a large list of files that they know to be exploitable... i.e., an "admin.asp" page for a popular forum. If you don't have the forum installed, the webserver will return a "file not found" and record a code 404 in your logs. If you see many of these 404's coming from a single IP, it's likely you're being scanned. You can report these to 3Essentials (support team) who will block the IP and submit a complaint to the ISP who owns the IP address.
-
Use a knowledgeable, experienced website developer: If you're developing your own website, and you're a novice, the biggest security risk is likely you. You wouldn't dream of performing brain surgery with no experience would you? Yet people continue to develop and publish websites with virtually no knowledge or experience in how to design a secure site, and then wonder why they got hacked/defaced.
-
Developing the site yourself? If you weren't already aware of the items we've listed here, then you're not prepared to design and deploy a secure site. If you're just posting pictures of you and you're family, then the risk is not a big deal. But if you're starting web-based business, or your website is the online face for your new startup company, then you're taking a risk. Find a qualified developer, or start researching these topics on the internet or various publications to help educate yourself on how to build a secure website.
-
Employing a website designer/developer? Don't assume that because someone calls themselves a website designer that they are also competent in designing a secure site. Many site designers get into design for the graphics aspect of it, and have no idea about the security and execution model for webservers. How do you assess if your website designer is competent? Start by asking them about the topics we discussed here - they should already be familiar with all of these topics and be able to discuss them intelligently, and to convey to you how and why their sites are secure.
-
Make a backup: read this article: Backup & Restore information
-
Observe best practices for passwords: read this article: http://knowledge.3essentials.com/web-hosting/article/676/Security-Best-Practices-Passwords.html
-
EDUCATE YOURSELF - read up on the nature of web application attacks and how to protect yourself... reading this one article here at 3Essentials KB is not sufficient... read other articles... here are some suggestions:
Protecting yourself against identity theft:
Everyone should be familiar with identity theft, but just in case you just returned from 5 year vacation in Antarctica, I'll review... Identity theft is where someone is able to impersonate you for the purpose of obtaining credit cards, checking accounts, etc, and then running up tremendous debt which they leave to be in your name. They don't target your existing accounts... they open NEW accounts in your name, so you aren't even aware of them. Then, they incur lots of debt on them, and they disappear... when the banks/creditors move forward with tracking down the user, they come to you... after all, it's you whose name the account is in.
How do identity thieves do this... information. They start with having information about you. Enough information to convince someone somewhere that they are you.
I'm still amazed that I can go out on the web and find tremendous amounts of personal information about people. The place that amazes me the most are social networking sites like MySpace.com. People put all of their personal information right there in one place...their full name, height, weight, hair color, birthdate, where they were born, where they were married... let's make it as easy as possible for someone to steal your identity by putting everything they need to know in one place. Not only are you providing all the basic information necessary for driver's licenses, bank accounts, credit cards, etc... but you're also undermining security measures financial institutes have put into place to help safeguard you. Here's what I mean... We're all familiar with the "mother's maiden name question, but in the last couple years, financial institutions have implemented additional security measures by having me set up "personal security" questions like: name of first pet? city where you were married? city in which you were born? Do these questions sound familiar? They should, they are the exact type of information I noted people are posting at sites like MySpace.com. Keep in mind, this isn't a problem with MySpace.com... MySpace.com is an awesome service... the problem is the USERS don't carefully consider the value of the information they post there, and the risk posed by posting it.
Here's another example... I recently had to order a certified copy of my birth certificate... I was able to do it online in about 5 minutes by providing certain information about myself. That was a shocker. They mailed it right to my door halfway across the country, with what I felt was minimal confirmation I am who I say I am. With my birth certificate, an identity theif who looked reasonably my age and was the same sex could be down at the Driver's License office getting a license with my name and their pic. Then they are only a step away from a checking account at a bank... and then opening a line of credit or credit card. Meanwhile, I have no idea it's happening. It's frightening.
Ok - hopefully I've scared you. Now the question is, how do I protect myself. Here's are some important steps
Protect Your Information and Identity
-
Don't post any more personal information on any website than you absolutely have to to achieve your purpose.
-
If your bank has made available bank/credit cards which have your photo on them, trade in your current cards for these.
-
Never share personal information by telephone. Be suspicious of any calls that come into you... i.e., you only really know who you're talking to if you called them.
-
Secure items that contain personal information in a safe place.
-
birth certificates, social security cards, excess credit cards, life and home owners insurance info should all be secured in a fireproof, waterproof safe to ensure they'll survive a fire and the firemen.
-
Every home should have a shredder:
-
Shred unneeded documents containing personal information.
-
shred all charge receipts.
-
Pay attention to billing cycles and contact creditors if bills do not arrive.
-
Review credit reports for you, your spouse and your children annually.
-
Mail stamped, outgoing bills directly from a local post office or US Mail box.
-
Do not carry your social security or excess credit cards unless absolutely necessary.
Here's my single biggest pet peeve on this particular topic... Everyone's getting on the web, right? A family website with photos of your wedding, and kids, and parties, etc.. And here's the type of things I see on these sites:
-
Here's my sister Rhonda who was wonderful as my maid of honor at our wedding!
-
Here's a collection of our photos from our wedding, which was at the beatuiful Duke chapel in Durham... we chose this because we got engaged there at Duke gardens!
-
Pics of my brother's kids, Alex, the oldest, shooting his little brother Max with a water gun!
-
We're the Johnson's. Marc, my husband, his parents, Bill and Barbara Johnson are from Elizabeth City, NC, while my parents are from Seattle, WA, where I was born.
Now... consider that your credit cards companies are adding these "security questions" to your online account access to help protect you. so instead of just having youraccount number and password, you have to be able to answer personal questions which you've preselected and provided the answers to. Sounds very secure, right? What are those questions?
-
What's your paternal grandfather's first name?
-
What's the first name of your oldest nephew?
-
In what city were you married?
-
Who was the maid of honor at your wedding?
Do any of these look familiar? If I'm targeting you specifically, especially for identitiy theft, what information can I find out about you on your website? On the website of another family member? Myspace or facebook sites? Consider these items as you think about protecting your information and your identity.
Protect Your Computer
-
Use a firewall.
-
Install anti-virus protection software and check for regular updates.
-
Install anti-spyware and anti-ad protection programs.
-
Never download unknown software.
-
Regularly update your operating system, firewall and other “anti-“ software
Protect Your Account Access (access to any account with any entity which has personal or financial information, including your banking account, web hosting account, etc..)
-
Commit passwords to memory – do not utilize password memory/management programs
-
Always sign off websites you access which have personal or financial information - sign off, and close the browser.
-
NEVER sign on to a website which has personal or financial information from a public/shared computer
-
Do not provide personal information to any source, even if prompted by email or pop-up
-
Do not follow a link to a website for your financial institution from an email. Only go directly to the institution's website that you are familiar with, and know is their site.
|