Do I really have to worry about cross-site contamination?
I get this question a lot when I talk to people on the phone. I deal mostly with agencies and larger companies who have 20, 30, 100 sites sitting on 1,2, or 5 servers (or dozens of hosting accounts) and want to know about cross site contamination. It’s an interesting concept. If one site gets compromised and infected with malware, will the other sites that are sitting on the same server get compromised? Well, the real answer is…..maybe.
Let’s talk about life…
I started doing research on this subject when I came to work for Sucuri. I always thought it was a notion cooked up by the security experts trying to scare consumers into submission—you can get screwed just by sitting next to someone or sharing the same cutting board as the raw chicken? But this holds true in life all the time. Whether you’re at the movies and some unruly teenagers walk in—there goes your enjoyable movie-watching experience. Or you serve a platter of vegetables after you’ve cut them on the same counter top you forgot to wash off after you marinated the steaks—lucky party guests!!
True story: Stephanie Smith, a children's dance instructor in Minnesota, was paralyzed from E. Coli which just happened to infect the burger she ate at a backyard BBQ that her mother cooked her. How, you ask? Through cross contamination, and a very slight change in the slaughterhouse's process. You can read about her grueling ordeal here - Real Life Impacts: The Stephanie Smith Story
And how does this relate to website cross contamination, well it’s a pretty straight line. If a website is infected with a virus, then that virus can spread or attach itself to all the other websites it sits next to. And this is how it happens, it can be subtle, or slow, fast or fierce, but it can (and does) happen!
Yet…I still wasn’t happy with that answer or analogy. So, I dug a little deeper and a little closer to home. Let’s look at traditional computer worms and viruses. The kind that can really mess with your local computer. How are those delivered? How do they get on my computer? Let’s define what worms and viruses do.
Computer Worm: a standalone malware computer program that replicates itself in order to spread to other computers. Computer Worm – Wikipedia
Computer Virus: a computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files and that usually performs a malicious action. Computer Viruses – Wikipedia
So how do you get this type of malware on your computer?
That’s a great question and one that’s hard to answer because malware distribution has gotten so sophisticated these days, it’s hard to tell exactly how your computer got infected. Certain delivery method culprits could be:
- Phishing lure pages / Spear-phishing emails: You get an email from someone you know (or think it’s someone you know) and you click on a link. Same as if you go to a website you think you trust and click on a button/link.
- Drive-by Infections: These are super dangerous because this means you just visit a malicious website and it can infect your computer. Just by being on that website for one second can deliver a payload that really inconveniences your life.
- Using unsecured networks: We’ve come to expect free wifi everywhere we go, but beware because that means anyone else (especially unscrupulous users) have access to it as well. And the good hackers can gain access to your system through all the various software tools available and then crack passwords with ease with all the various software tools available!
- Using an infected flash-drive: Ok, this one is unlikely, but if you’re a student and need to back up your files and you use a flash-drive your friend gave you—it can potentially be dangerous. Just buy new ones that are sealed in their packaging!
- Downloading music, movies, and other stuff illegally: I’m sure people still do this, but it’s a sure-fire way to get infected with malware. Be careful what you download and what source you use to download it from.
- Social Media: Social media platforms are our best friends sometimes, but they have lots of things that we click on from interesting top stories, to party invites, to alluring ads. These can all be triggers for malware distribution and according to Business News Daily is now the world’s largest attack surface.
- Mobile Apps: Yup, now your mobile phone can be hacked! Cybercriminals have created apps as “utility” apps and when unsuspecting users download it, it fills their phone’s memory with malware. The next time that phone gets connected to a computer, for whatever reason (maybe just to charge it), the computer gets infected with malware.
As you can see, there are a myriad of ways to get infected with malware. And that malware can come from a plethora of sources. Depending on how the virus, the worm, or malware code is written, it can spread like wild-fire infected everything in its path from phones to connections with local computers over unsecured networks to other local computers and servers.
And if we think about this concept, at its very foundation it’s considered cross-platform contamination. But let’s look at viruses on a granular level. What happens when the virus infects my computer? How does it spread?
A virus has several moving pieces to it, all of which help with its end goal of inflicted damage.
- Infection mechanism – this is how the virus spreads or propagates. There’s something called a ‘search routine’ which locates files/disks to target, then copies itself into those files/disks.
- Trigger – known as a logic bomb, it’s the piece of the virus that activates the payload and can be done through a number of different actions or executions, such as on a certain date or time, the presence of another program, disk capacity, or a simple click.
- Payload – the code/data that performs the purpose of the virus, often times the malicious or harmful activity.
If we look at these pieces, we’ll see that a virus on a local computer will move throughout that entire computer replicating itself in different files, disks, programs, applications and so on, delivering a payload.
So cross-site contamination is quite similar. A server is really just a computer. Let’s dive into that…
Cross-site contamination with a side of fries, please…
Going back to our food analogy, let’s say you go to your favorite fast food restaurant. And let’s say you order a big juicy burger with a side of fries. Only unbeknownst to you, that burger is contaminated, does that mean the fries are too? Well, if they’re served to you in the same bag, then yeah, it could be!
If you take a server, let’s say a shared hosting account with any of the big boys out there, and you currently have 5 sites on that shared hosting account. What’s the likelihood of a site getting infected? Well… if you don’t have any security measures in place, then the answer is very high. But let’s say you do have security measures in place. Let’s say you have a website application firewall and you scan every day for malicious activity. But let’s say you only have those security measures on the two most important websites on that server. The other 3, you could care less about!
Why this train of thought sucks:
If you go back a little and look at cross-platform contamination and contamination of files on your local computer, cross-site contamination works the same way. You’ve got 5 sites that are sitting on the same shared hosting account and only two of those sites have a Firewall. That means that the other 3 do not! So they are still susceptible to brute force attacks, DDoS attacks, malware distribution, and every other form of malicious activity…essentially making every site on that server susceptible.
Once a hacker gains access to one of your sites that sit in your shared hosting account, realistically they can do a lot of damage. They can add files which can change permissions, inject code that locks you out of your site, and they can take over your entire web server and damage the sites that “were” protected, or so you thought.
What to do??
Well, a few things. One—you can have security measures across the board. If 5 sites are on a server, make sure you have a Firewall for each of them, make sure you monitor each of them. Or you can isolate sites, which is another avenue. Maybe it’s more cost-effective for you to take those two (important) sites and move them to their own environment. You can clean up your server, I totally recommend doing this. Take a lazy Sunday and look at how many sites you have on your server. I’m talking about all of it – the subdomains, sub-directories, the development sites, and so on.
The more sites you have sitting on your server, the more susceptible you are to malicious activity. If you have 20 sites, and 1 is protected, there’s a good chance it’ll be compromised. Even if you have 19 that are protected, there’s still a chance you could be compromised. Albeit, it’s a small chance at that ratio, but it is still there.
Protect your sites, protect yourself, protect your visitors!