Tag

Hacking

I know I’ve used this clipart before that’s in the featured image (maybe I like it!), but because the Guy Fawkes mask has become synonymous (thanks to Anonymous) with web hackers and in turn with website security, I found it befitting to use once again.

This post is in direct relation to the talk I am about to give this Thursday for NIM on helping people overcome their website security insecurities. I will post the slides by the end of the week.

A little background…

Ever since I’ve been in the field of website security, it’s taken me a while to understand it. Working for Sucuri definitely helped in understanding it —but when I first started I did NOT get website security. It made no sense to me. And I’m a guy who comes from the agency world. I used to do front-end development work, I know design process, development process. That makes sense, you take one step forward and get closer to your goal…hopefully.  Not in website security, you side-step constantly. Because it’s not about control. Website security is a combination of technology, process, and people. You can’t control all those things, you can assess and mitigate risk in those areas, but you can’t control.

Helping people overcome their website security worries..

The motivation I have for giving the talk is two-fold:

  1. I really do want to help people overcome their worries and fears. Website security can be frustrating, befuddling, scary, complex, and down-right incomprehensible. And to preface, this is a post about website security. Not web security, not IT security, not PC security, or network security. This is a post on protecting your website. Although, all those other layers of security do sort of play a role in website security, that’s why it can be super confusing.
  2. Is to let people know that as website owners and managers, we have a responsibility to not only our sites, but our visitors, the world wide web as a whole. We need to be good stewards of the internet and that starts with the properties that we manage online. Our posture needs to be strong, solid.

So…I guess you could say my hopes for this post/talk are that the audience picks up one (hopefully more) tidbits of information that will make them more diligent online. I want people to understand website security a little better and to give them a plan of action to get their website security and online posture in order.

Let’s begin

The first thing I need everyone to understand is that website security involves several things. It involves Technology, Processes, and the People:

  • Technology – you have a local computer – you have a hosting environment, the different systems that you use that are integrated with your website, social media, the list goes on..
  • Process – Protocols that are used to transmit data (HTTP/HTTPS), protocols you use to recover your site once it’s been hacked, the process for updating your website or storing a password, the list goes on..
  • People – This one’s the hard one, the wildcard. We have hackers, that are getting better by the minute coming out with new technology. There’s us – the website owners – maybe we don’t have enough education. Then there’s the people that visit our website, maybe they have malware on their computer and upload something to your site, the list goes on..

Technology, Process, and People

So, the point is, we can’t control everything, but we can mitigate the risk.

Let’s talk about the people, mainly hackers…

hack·er ~/ˈhakər/ (noun): a person who uses computers to gain unauthorized access to data.

Originally ‘hacker’ was a term of esteem, used to describe someone who tinkered around with systems and could break things down, reverse engineer, someone who was really good at understanding their system (whatever it was).  Now it’s used to describe someone who wants to do malicious harm online.

HACKERS: White-hat, Black-hat, Grey-hat , Blue-hat. There are different types of hackers.

  • Script Kiddies – usually computer novices who take advantage of hacking tools, vulnerability scanners and the like
  • Hacktivists – groups like Anonymous, hacking for a cause, usually to expose information, get someone out of prison, expose a corrupt official, things like that.
  • Cyberterrorists – hackers that go after government entities. Experts say World War III will be fought online, I whole-heartedly believe that.
  • Organized Criminal Hackers (Hacking rings) – groups that take down targets like Home Depot, the MySpace passwords that were recently stolen, etc.
  • Security researchers – the good guys (or the in-betweeners – Grey-hats) that try to get ahead of the bad guys or find a vulnerability before it’s exploited.

Motivations of hackers:

  • Revenue/Money
  • Resources
  • Just because they can / or the challenge of it.

Attack types and distribution..

For the most part you’re going to see two types of attacks. Automated, which make up the vast majority of the attacks that are out there. Then the less frequent targeted attacks. The targeted attacks are the ones we hear about and read about in the news headlines. But the ones we really need to worry about are the opportunistic or automated attacks. Given enough time, attackers can sit back and have their networks work for them, and have their scripts slowly find, test, and attack every available target on the internet. Malicious automation has gotten increasingly sophisticated and shows no signs of slowing down.

You can download Sucuri’s Q1 report on hacked websites here: https://sucuri.net/website-security/website-hacked-report

It’s pretty scary stuff, but to give you a precursor, Google reported in March of 2015 that 17 million website users had been greeted with some form of malware warning that the websites visited were either trying to steal sensitive information or trying to install malicious software on the users’ computers. In March of 2016, that number jumped to 50 million!! I imagine next year that number will grow to triple, maybe quadruple that. You can see as the internet grows, so does malware distribution. Google, alone, blacklists over 20,000 websites per week, over a million per year. That’s pretty staggering.

But what are some of the vehicles for distributing malware? There are a lot, almost too many to name, but I’ll name a few that’s seen quite often:

  • DDoS attacks – it’s an attempt to make a website unavailable by overwhelming it with traffic from multiple sources.
  • Brute Force Attacks – this is a trial and error method used by hackers to crack passwords through exhaustive efforts, not strategic ones. We see this a lot with Content Management Systems.
  • Software vulnerabilities – a weakness in a website or system that allows a hacker to gain access and/or infect it with malware. These are usually due to people not updating their systems.
  • Drive-by Downloads – refers to the unintentional download of a virus or malware onto a personal computer or mobile device
  • Phishing Lure – an attempt to acquire sensitive information (passwords, usernames, etc.) by masquerading as a trustworthy entity online.
  • Malicious Redirects / SEO spam – this is the manipulation of a website’s SEO and/or links to get traffic to a certain page. Often times a pornography site, or pharma page like Cialis or Viagra.

There are others like XSS (Cross-site scripting), SQLi (SQL injections), RFI (Remote File Inclusion), LFI (Local File Inclusion), and more. So we need to be very diligent, things are already working against us.

But what do we control as website owners?

A few things, right? Right now, we control our website (well, hopefully if you haven’t been hacked and locked out of your site), and what goes on it — things like themes, plugins, modules, extensions, add-ons…

We also control our hosting environment. And I want to make a quick note on how hosting plays a role in website security. Here is a picture of my CyberDuck (the FTP client) – I’ve blurred out a few of the domains I have on there (for security purposes).

interface for cyberduck ftp

 

The thing to note here, is that all these 6 sites, all these properties, they sit next to each other in your hosting account. It doesn’t make a difference to me if you have a dedicated server, a VPS, or a shared server. Most people have shared servers. Why? Because they’re cheap and they offer unlimited domains. I don’t think it’s much of an issue that people sit on shared servers with other people and “share” the resources, that’s not really the problem. Hosting providers will have their infrastructure set up so that it would be very difficult for malware or a virus to jump from one account to the other. But the issue it within our own hosting account.

Take the above picture. Say the two sites that are not blurred out – BeingAJiLe.com and AdamJamesLamagna.com – say these sites were really important to me (they are), but let’s say those are the only two I cared about on my shared server. The other 4 sites that are blurred out, let’s say I don’t care about them. Let’s say I never update (I do, but for argument sake). That means that those sites are susceptible through software vulnerabilities, or weaknesses in the code. If one of those sites gets infected, it could infect all the other sites on my server through an activity called cross-site contamination. I wrote a post on it. But remember this — your web host / server is only as strong as its weakest link.

Your web host /server is only as strong as its weakest link

And that’s how hosting plays a roll in website security. People put development or test sites on the same server as production sites, and then forget about those sites. Take a count of how many sites you have on your server, and do a little cleanup if there are sites on there that you don’t care about.

What do we do to actively protect our sites??

This is the thing, there’s really only 1 thing you can do to protect your site. And that’s to install a firewall, specifically a website application firewall. A firewall is a catch-all phrase, right? There are network Firewall stickmanfirewalls, server-level firewalls, local computer firewalls, they all protect different things. You can read up on the Differences in Security Firewalls, it’s a good post. But a website application firewall, also known as a WAF, will protect your site from malicious incoming web traffic. What it does is inspects packets of data and compares it to known vulnerabilities and known trusted sources. If it matches a trusted source, it passes through, if it matches a vulnerability, it doesn’t.

But Firewalls, as all security technologies, are not infallible. They make mistakes, not very often, but maybe there’s a new virus that it hasn’t seen yet. It won’t pick up on it and block it from your website. But that’s the reality and why having a good online posture comes in handy.

Understanding the security state of your websites…

Another technology you can use to get insight into what is going on already on your website is called a scanner, or monitoring device. There are a few free ones out there like these:

All pretty solid technologies, but again they’re fallible. They’ll check the source code and files and compare it to known vulnerabilities. If a vulnerability has not been discovered yet, it won’t pick up on it. But that’s just the way it is, so we have to be strong in our online posture to be able to react accordingly, and hopefully prevent infection from ever happening.

Essentials of good online posture for your website security..

A few things (and let me preface this by saying ‘I don’t want to tell you what you already know’) that I want to impress upon you that are essential to good online posture.

  1. Backups – this one should be pretty obvious. You need to backup the files and the database (both of these!!). If you don’t change your content all that often, backup once a month. If you blog everyday, backup daily. Now for each specific CMS, there will be tools you can use. For WordPress, I use BackUpWordPress – it lets me automate backups on a frequent basis. But, what it will end up doing is placing the .zip file and .sql backup on the server. Remember what I said earlier about servers. You need to remember that once your backups are complete, to remove them from your server. Put them in a safe place on your local computer or somewhere in the cloud. Otherwise, your backups could become corrupted if your website gets infected.
  2. Updates – another one that’s pretty obvious. You need to update your site. Along with cool new features also comes security patches. This is what we care about – security patches. Now WordPress has been really great at backwards compatibility, meaning that when you update, it’s rare that thing break on your site. Well…as long as it’s not super customized. For those sites that are super custom or other CMS’s that aren’t great at backwards compatibility (ehem…Drupal), then the only way to really protect against this is to get a website application firewall – what I talked about earlier. Most firewalls will stop those vulnerabilities at the edge before it even gets to your site. Known security patches will get written into a firewall’s ruleset to help protect. Otherwise, I would make plans on fixing your website to be able to do updates.
  3. Passwords – I believe people are getting much better about their passwords, I think… Use a password manager like LastPass or 1Password. I bought 1Password for $50 for my lifetime, it’s totally worth it. Password managers will generate strong passwords for you, you don’t have to memorize them (you only have to memorize one – the one that gets you into 1Password). It will open up a particular website and autofill for you, which is super nice! And you can also share passwords via vaults with team members through a service like DropBox or Google Drive.
  4. Access Control / User Access – this ones always a tricky one. You have a CMS, and other users need to be on for whatever reason. Maybe they put new products on the site, or write blog posts for you, or make updates to plugins. Whatever the reason, users need to get on your site, you can limit their access through things like user roles, which WordPress does really well. But the other piece is authentication. Authentication is huge in the CMS world. I wold strongly suggest enabling something called two-factor authentication. You can do this pretty easily in WordPress and I’m sure other CMS’s too. You need to download Google Authenticator in the App Store using your Android or iPhone. Then I used the Google Authenticator plugin. When you install the plugin and go to a User (you can have a different code for each user, which is ideal) it will ask you to enable it and a QR code will pop up. On your iPhone/Android, you just scan the QR code and then miraculously it’s synced up. Now, every time you go to log in, it will ask you to put in your 6-digit code from Google Authenticator. The system knows it’s YOU who is logging in, and not someone else coming through a Brute Force attack. Now, if you don’t have an iPhone or don’t want the hassle, you can always install CAPTCHA or ReCAPTCHA, which will authenticate that the user logging in is not a robot/bot by asking it to spell some hard to read text or doing a math problem. I prefer Google Authenticator, but CAPTCHA is at least another layer of security.

So, where do I start if I don’t know where to start…

You start with an asset inventory list:

  1. Create a list of all the sites you own or manage:
    1. Where are those sites hosted?
    2. What plugins, modules, extensions, themes, 3rd-party systems are on or integrated with my website? Are they necessary? If not, remove them.
    3. Make a list of all the people who are allowed access to your site. Evaluate their permission levels, stress strong passwords, and enable two-factor authentication.
  2. Make a backup of each site:
    1. Files and Database – remember to take them off your server and store them some place safe.
  3. Make sure your site is updated:
    1. Core files, plugins, themes, modules, extensions, etc.
  4. Scan your sites for malware:
    1. Use one of the free DIY tools offered by Sucuri or other companies.
    2. Or use a scanner specific to your CMS, see below.
  5. Actively protect your site using a Firewall or CMS specific technology.

Here are a few tools for you to put in your website tool DIY basket:

Platform Agnostic Scanners:

CMS specific scanners (HackTarget has got some cool tools):

CMS specific scanners will compare your install to a trutsted install of the specific CMS to see if things have changed much, etc. It’s good to see if files have been changed or if there’s something on your site that just shouldn’t be there.

Reasonably priced Firewalls:

If you absolutely can’t pay for a Firewall and need something free, then I’ll use a combination of Cloudflare’s free CDN service, and Wordfence (this is only for WordPress users) – they bill the plugin as the “most downloaded security plugin for WordPress” – I feel like I’ve heard that before. But either way, this combination works really well for my sites, but keep in mind, my sites aren’t super high traffic. I imagine if you have a super high traffic site, that you can pay for a reasonably priced firewall.

But if you can’t, the above combination works for me. I use Wordfence’s automated scanning and Firewall, in conjunction with Cloudflare’s free CDN network (which will speed your site up regardless) and their security features. I also have two-factor authentication on my site and I use Login Lockdown which will limit Brute Force attempts.

In closing…

I know this is all a lot to take in. Website security just isn’t one thing, it’s many. We were told that putting up a website is easy, and that’s true, it is easy. But managing and protecting and keeping your site/visitors secure on a daily basis is the hard part! It’s a constant battle, but I hope this brought a little clarity to securing your website and being a more responsible steward of the internet.

A few more resources if you’re interested..

If you have any questions, please feel free to reach out! Many thanks!

Do I really have to worry about cross-site contamination?

I get this question a lot when I talk to people on the phone. I deal mostly with agencies and larger companies who have 20, 30, 100 sites sitting on 1,2, or 5 servers (or dozens of hosting accounts) and want to know about cross site contamination. It’s an interesting concept. If one site gets compromised and infected with malware, will the other sites that are sitting on the same server get compromised? Well, the real answer is…..maybe.

  Let’s talk about life…

I started doing research on this subject when I came to work for Sucuri. I always thought it was a notion cooked up by the security experts trying to scare consumers into submission—you can get screwed just by sitting next to someone or sharing the same cutting board as the raw chicken? But this holds true in life all the time. Whether you’re at the movies and some unruly teenagers walk in—there goes your enjoyable movie-watching experience. Or you serve a platter of vegetables after you’ve cut them on the same counter top you forgot to wash off after you marinated the steaks—lucky party guests!!

True story: 

Stephanie Smith, a children's dance instructor in Minnesota, was paralyzed from E. Coli which just happened to infect the burger she ate at a backyard BBQ that her mother cooked her. How, you ask? Through cross contamination, and a very slight change in the slaughterhouse's process. You can read about her grueling ordeal here - Real Life Impacts: The Stephanie Smith Story

And how does this relate to website cross contamination, well it’s a pretty straight line. If a website is infected with a virus, then that virus can spread or attach itself to all the other websites it sits next to. And this is how it happens, it can be subtle, or slow, fast or fierce, but it can (and does) happen!

Yet…I still wasn’t happy with that answer or analogy. So, I dug a little deeper and a little closer to home. Let’s look at traditional computer worms and viruses. The kind that can really mess with your local computer. How are those delivered? How do they get on my computer? Let’s define what worms and viruses do.

Quick Computer Lesson

Computer Worm: a standalone malware computer program that replicates itself in order to spread to other computers. Computer Worm – Wikipedia

Computer Virus: a computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files and that usually performs a malicious action. Computer Viruses – Wikipedia

Computer with a virus on it

So how do you get this type of malware on your computer?

That’s a great question and one that’s hard to answer because malware distribution has gotten so sophisticated these days, it’s hard to tell exactly how your computer got infected. Certain delivery method culprits could be:

  • Phishing lure pages / Spear-phishing emails: You get an email from someone you know (or think it’s someone you know) and you click on a link. Same as if you go to a website you think you trust and click on a button/link.
  • Drive-by Infections: These are super dangerous because this means you just visit a malicious website and it can infect your computer. Just by being on that website for one second can deliver a payload that really inconveniences your life.
  • Using unsecured networks: We’ve come to expect free wifi everywhere we go, but beware because that means anyone else (especially unscrupulous users) have access to it as well. And the good hackers can gain access to your system through all the various software tools available and then crack passwords with ease with all the various software tools available!
  • Using an infected flash-drive: Ok, this one is unlikely, but if you’re a student and need to back up your files and you use a flash-drive your friend gave you—it can potentially be dangerous. Just buy new ones that are sealed in their packaging!
  • Downloading music, movies, and other stuff illegally: I’m sure people still do this, but it’s a sure-fire way to get infected with malware. Be careful what you download and what source you use to download it from.
  • Social Media: Social media platforms are our best friends sometimes, but they have lots of things that we click on from interesting top stories, to party invites, to alluring ads. These can all be triggers for malware distribution and according to Business News Daily is now the world’s largest attack surface.
  • Mobile Apps: Yup, now your mobile phone can be hacked! Cybercriminals have created apps as “utility” apps and when unsuspecting users download it, it fills their phone’s memory with malware. The next time that phone gets connected to a computer, for whatever reason (maybe just to charge it), the computer gets infected with malware.

As you can see, there are a myriad of ways to get infected with malware. And that malware can come from a plethora of sources. Depending on how the virus, the worm, or malware code is written, it can spread like wild-fire infected everything in its path from phones to connections with local computers over unsecured networks to other local computers and servers.

And if we think about this concept, at its very foundation it’s considered cross-platform contamination. But let’s look at viruses on a granular level. What happens when the virus infects my computer? How does it spread?

A virus has several moving pieces to it, all of which help with its end goal of inflicted damage.

  1. Infection mechanism – this is how the virus spreads or propagates. There’s something called a ‘search routine’ which locates files/disks to target, then copies itself into those files/disks.
  2. Trigger – known as a logic bomb, it’s the piece of the virus that activates the payload and can be done through a number of different actions or executions, such as on a certain date or time, the presence of another program, disk capacity, or a simple click.
  3. Payload – the code/data that performs the purpose of the virus, often times the malicious or harmful activity.

If we look at these pieces, we’ll see that a virus on a local computer will move throughout that entire computer replicating itself in different files, disks, programs, applications and so on, delivering a payload.

So cross-site contamination is quite similar. A server is really just a computer. Let’s dive into that…

Cross-site contamination with a side of fries, please…

Going back to our food analogy, let’s say you go to your favorite fast food restaurant. And let’s say you order a big juicy burger with a side of fries. Only unbeknownst to you, that burger is contaminated, does that mean the fries are too? Well, if they’re served to you in the same bag, then yeah, it could be!

If you take a server, let’s say a shared hosting account with any of the big boys out there, and you Virus with a side of friescurrently have 5 sites on that shared hosting account. What’s the likelihood of a site getting infected? Well… if you don’t have any security measures in place, then the answer is very high. But let’s say you do have security measures in place. Let’s say you have a website application firewall and you scan every day for malicious activity. But let’s say you only have those security measures on the two most important websites on that server. The other 3, you could care less about!

Why this train of thought sucks:

If you go back a little and look at cross-platform contamination and contamination of files on your local computer, cross-site contamination works the same way. You’ve got 5 sites that are sitting on the same shared hosting account and only two of those sites have a Firewall. That means that the other 3 do not! So they are still susceptible to brute force attacks, DDoS attacks, malware distribution, and every other form of malicious activity…essentially making every site on that server susceptible.

Once a hacker gains access to one of your sites that sit in your shared hosting account, realistically they can do a lot of damage. They can add files which can change permissions, inject code that locks you out of your site, and they can take over your entire web server and damage the sites that “were” protected, or so you thought.

What to do??

Well, a few things. One—you can have security measures across the board. If 5 sites are on a server, make sure you have a Firewall for each of them, make sure you monitor each of them. Or you can isolate sites, which is another avenue. Maybe it’s more cost-effective for you to take those two (important) sites and move them to their own environment. You can clean up your server, I totally recommend doing this. Take a lazy Sunday and look at how many sites you have on your server. I’m talking about all of it – the subdomains, sub-directories, the development sites, and so on.

The more sites you have sitting on your server, the more susceptible you are to malicious activity. If you have 20 sites, and 1 is protected, there’s a good chance it’ll be compromised. Even if you have 19 that are protected, there’s still a chance you could be compromised. Albeit, it’s a small chance at that ratio, but it is still there.

Protect your sites, protect yourself, protect your visitors!

 

The Frustration with Website Security

May 1, 2016
Comments Off on The Frustration with Website Security

People just expect their websites to be secure!

People just expect their sites to be safe, and I’ll admit, I did for the longest time too! But that’s a far cry from reality and one that’s hard to sell.

I work for Sucuri, one of the best website security companies on the market today (probably the best – and yes, I am biased!). But I sell web products to agencies and enterprise level clients. It’s not so difficult to sell them on our products. Sucuri’s products, they just work and very well at that! What I need to sell people on is website security as a whole, which is much more difficult than you may realize.

Let me break things down.

There are all these moving pieces to the web, correct? Yes, there are. Even more so at a granular level when you look at company’s servers or hosting environments, file structures and setups, their clients and others who have access to these sites, the sites themselves and all their vulnerabilities. Not to mention the hackers, who rarely leave a trace and rarely get caught and rarely get punished for it.

Let’s start with different environments. There’s a great analogy I use for shared hosting, VPS, and dedicated accounts.

  1. Shared hosting – this, essentially, means that you are sharing resources with everyone else in that environment, like CPU time or memory space. It’s like living in an apartment complex and sharing the pool, laundry, and parking lot with your neighbors. You still have your own place, but if the laundry is tied up, you’ve got to wait!
  2. VPS (Virtual Private Server) – this is like living in a condo, because you’re still sharing resources that are outside of your condo, like parking space, but you’re ultimately responsible for things inside your condo. So, in a VPS environment, there are still shared resources, but portions of those resources are dedicated to each individual VPS.
  3. Dedicated server – this is like owning your own home. You’re responsible for the upkeep, but you also have access to all the resources, and no one shares them with you.

So, this is a very simplified version of server environments. Nowadays, people use the term ‘server’ and the term ‘hosting’ in somewhat the same way. Years ago, when someone said we host internally, it usually meant that they had physical servers inside their offices where they would manage them and actually host their sites on those servers. And for those of you who don’t know, a server is just a computer, with a little different hardware on it (even though, a desktop computer could run a server) – I know, confusing!!!

Hosting is done by a number of different providers like WP Engine, 1and1, GoDaddy, Pantheon, and so on. They have the hardware and resources to handle many different types of platforms (or a specific one), and they also make things easy for people to manage their environments through something called a C-Panel or Control Panel. It’ll give you access to your domains (if you’ve pointed them from your registrar or used the hosting company to buy the domain) and let you change the directory path and DNS settings, things like that.

Now with most servers, there will be server-level firewalls set up with the infrastructure, but that means that it’ll still let in web traffic, which is what we need a lot of protection from. Port 80 (HTTP) and port 443 (HTTPS) traffic can let in a lot of different activity (good and bad).  This is how your visitors reach your site, through one of those two ports depending on whether or not you have an SSL certificate. So, there are many different ways a website can get compromised.

  • Software vulnerabilities
  • XSS (Cross-site scripting)
  • Backdoor Injections
  • SQL Injections
  • SEO Spam
  • DDoS (Distributed Denial of Service) Attacks
  • Brute Force Attempts

And the list goes on…and on…and on…

But you have to be aware of this stuff, and keep in mind that a lot of these attacks are automated. Some may be done manually by a bored teenager sitting at home in front of his computer. But for the most part, they’re automated attacks. And keep in mind there are attacks of opportunity (which we are all susceptible to) and targeted attacks, which are usually for the bigger brands and companies, but make no mistake if you engage in controversial content on your website (like religion or politics), you can very well be targeted too!

There are a few different reasons why someone would want to attack your site or gain access to it. It’s not just money, but that can be part of it.

  1. Revenue – and I’m not talking about people trying to steal credit card info (although, that happens all the time), but if you don’t do anything with e-commerce, hackers can still profit off of your website. Imagine a hacker injects your site with malware and then your mom visits your website. She unwittingly downloads something that your site told her to download (because she trusts you and what you put on your website) and then four hours later she has no money in her bank account. BOOM!! Oops… That’s what I’m talking about. And there’s also SEO spam. Hackers who use your site to redirect traffic to their pages to make money by inserting links, or keyword stuff your site (which will send your rankings through the floor – and it’s hard to recover from) to get better rankings in the short term and make money off of your audience.
  2. Resources – this is another big one. Maybe the hackers don’t want money, but they may want your resources. Things like bandwidth or CPU. They can build a network off of your system and lease it to others. Now hackers can take your resources and use them to attack other unknowing parties, without YOU (the website owner) even realizing it. Scary, right??
  3. Lulz – yup, that’s right, lulz!! What is that you ask? Well…it’s just for the hell of it! Fuck it, let’s try it! I want to see if I can do this. Again, it could be some bored teenager just sitting around chatting on the security forums. Someone tells them about a tool to drop scripts in a website via a contact form, and they want to see if they can do it and gain access. Then once they do, who knows what could happen!! Be careful of this, because this is really hard to mitigate against. Get a WAF (website application firewall).

We have to be careful of things like Ransomware (holding a website owner’s site hostage) or Cyber CrimeMalvertisements (malicious ads) and there’s no one right way to do this. It really starts with education, so if you’re reading this post, kudos!

Some thoughts on general security

In order to keep your site (and your visitors) safe, you’ll need to explore general website security. Starting with monitoring and a firewall. Sucuri offers an awesome monitor/firewall package, our Website Security Stack. But if you can’t afford that, then look at all the free stuff out there.

You can use our Sitecheck to see if there is malware on your site. But keep in mind this only scans remotely, it can’t check the database.

You can learn how to harden WordPress. Which is basically locking a few things down like access, having containment, certain configurations.

Or you can take a look at OWASP and ModSecurity – which are open source and free to use, you just have to configure the firewall yourself, and that can get confusing!!

The Frustration of Website Security

And this is the frustration of website security—is that there is no 100% solution out there. I don’t think there ever will be! Ever! The reality is is that the landscape of websites and their environments change so frequently that once a solution had been produced, hackers have already found a solution of their own to beat it. And that’s the continual cycle.

So educate yourself and the people around you. If you own a website, you not only have a responsibility to it, but to your audience, and the web in general.

More to come on this topic…..

 

The Wonderful World of Hacking

February 9, 2016
Comments Off on The Wonderful World of Hacking

I’ve always been fascinated by hackers ever since I saw the movie Hackers, which I now know does NOT accurately portray what being a hacker consists of. Hackers are an interesting bunch. Why? Because their reasons for doing what they do can vary the full length of the spectrum.

Let me explain

Back before computer systems and the internet got to be wildly popular, the term “hacker” was used to embody the tinkerers of software or electronic systems. These hackers enjoyed learning (and exploring) all they could about computers and the way they operated. In the beginning, hacker was a term that was used to describe a person who was really awesome at working with computers.

Now…it’s taken on a slightly different and somewhat complex meaning.

When you hear the term hacker, you automatically think of someone who tries to gain entry to a website or system to do something malicious, whether that be stealing information, defacing a website, etc. The term hacker now refers to someone who maliciously breaks into systems for personal gain. But the key phrase within that sentence is personal gain. What is personal gain? Well…it could be just about anything.

SOME OF THE REASONS WHY HACKERS HACK:
  1. Profit – this could be money or this could be web traffic.
  2. Notoriety – some hackers like to hack for the esteem it brings them in the hacking community.
  3. Hacktivism – hackers try to disseminate political or social messages and campaigns to raise awareness surrounding a certain issue or issues.
  4. Hobby – others do it because they want to see what they can break into, how hard it is, and so on.
  5. Because they can – yup, some do it just because they can.

Now, just like hackers hack for varied reasons, there are also several types of hackers out there and their motivations are varied as well.

TYPES OF HACKERS:
  1. Script Kiddies – these hackers are considered (in the hacking world) to be novices. They take advantage of hacker tools and upload scripts to different places (often times, without knowing what that script will do or how damaging it’ll be) for the fun of it. Hence the name, Script kiddies.
  2. Hackers for Hire – these hackers are the mercenaries of the cyber world. People will enlist their services for money.
  3. Cyberterrorists – usually they attack government networks or power/utility grids. These hackers will crash systems and steal government top secrets (aliens, UFO’s, stuff like that!). Very dangerous hackers, very dangerous!
  4. Criminal Hackers – often a part of an organization of hackers, they are very skilled in breaking into systems (often times, without a trace) and either stealing credit card info or personal identification information.
  5. Security Researchers – these guys are the good guys, the ones who find flaws in companies and organizations’ systems and bring them to light without causing harm. They’re also the ones who develop the tools to use against malicious hackers.

Now let’s talk a little bit about the different categories of hackers, they can all be described by colors. I know, pretty cool, huh?

CATEGORIES OF HACKERS:
  1. White Hat Hacker — the good guys!
  2. Black Hat Hacker — the bad guys!
  3. Grey Hat Hacker — kinda the in-betweeners, sometimes for good, other times, not so much.
  4. Blue Hat Hacker — the ones who get paid to uncover vulnerabilities (I feel like these guys should be called the green hat hackers, but that’s just me).

So, now that you have an idea of what types of hackers are out there, and before we get into what types of security threats are out there, let’s take a look at why it’s getting increasingly easier to hack systems and websites.

  • Networks, nowadays, are extremely widespread and we are all connected
  • Lots of hacking tools available
  • Many and many wifi networks that are open
  • Applications have complex codebases
  • Generations of our kids are getting super smart when it comes to computers
  • Anonymity

There are sooo many things that people should be concerned with if they are on the internet, have a website that they manage, pay for products online, or have personal identifiable information online.computer keyboard If you don’t participate in any of the preceding things, then you are a hermit and stop reading this post. Ha!

But hacking happens every single day. Every. Single. Day. Every. Single. Hour. Wrap your head around that! It does happen and if you have not been hacked, then you’re lucky, but it will eventually happen to you unless you take proper action, which I’ll write about in an upcoming post. But (and this list is by no means complete) here are different ways hackers can mess with you or your systems.

TYPES OF ATTACKS:
  1. Brute Force – these attacks are when a hacker keeps on trying to gain access to your login credentials on any number of password protected sites, by continually trying different password combinations. Almost like a guy trying to break down your door. When ramming his foot into it doesn’t work, he’ll try a battering ram, when that doesn’t work, maybe he’ll try to pick the lock. Hence, brute force. These happen on my WordPress sites everyday.
  2. DoS / DDoS – ahh, the infamous Denial of Service or Distributed Denial of Service. This is an attack that’s designed to flood a website or network with traffic overload to render it inoperable. The group Anonymous (which is a network of hackers that primarily hack to bring certain issues to light) is well-known for a series of public DDoS attacks. Interesting group and I would never want to do anything to upset them, that’s for sure!
  3. SQL Injection – SQL stands for Structured Query Language, which is used for communicating with databases. The injections are attacks that “inject” (obviously) malicious code into a database to gain access to that database.
  4. Cross-Site Scripting (XSS) – this is a vulnerability which allows hackers to insert client-side (meaning executed by a user’s web browser) scripts into pages on a website or application. Then they can go on and do anything malicious or see certain activity, etc.
  5. Cross-Site Contamination – this is when hackers gain access to a “secure” site by infiltrating it from a site that’s not secure, but on the same server. We see this a lot when people have outdated CMS installs on the same server they have the updated ones on.
  6. Phishing Emails – have you ever gotten an email asking you to update your profile on Facebook, but it looks a little off? That’s because it probably is! Phishing emails are exactly that, they’re when hackers are fishing for information. You’ll get an email that looks a lot like it came from Facebook (the good phishing emails are the ones where you can’t tell the difference) asking you to put in your password or personal information. Hackers are able to log what you do on these sites/emails, so don’t ever click anything in an email unless you absolutely trust the source, but even then you can’t be 100%, be careful!
  7. Social Engineering – this is a method many hackers use that relies on interacting with humans. It’s basically getting a person to be relaxed enough to offer up information they normally wouldn’t give out. So, if you’re ever on the phone with someone (a person you don’t know, like someone claiming to be from the post office or some other government agency) and they ask you what your mother’s maiden name is, don’t give it out unless you are absolutely positive you’re speaking to the proper person.

Again, this is by no means a complete list, but these are some of the common things hackers will try. The best way to protect yourself is by getting a service like Sucuri’s AntiVirus or Firewall plans, making sure to keep your systems updated, and by being informed. Make yourself aware when you’re online and be cognizant of what you are clicking on and activity in general. And luckily, you won’t be another statistic of getting hacked!