News

Hacking: motives, methods and how to protect your web site.

What do Apple, Facebook, Sony, Twitter and your business have in common?[0]

They are all actively targeted by hackers. The first four have already been successfully penetrated by hackers in high profile attacks. Are you sure that your web site is safe?

“The cyber threat could affect anyone, and we all need to take measures to protect ourselves against the threat it poses.” – Maj Gen Jonathan Shaw, head of the Ministry of Defence’s cyber security programme.[1]

In this white paper we examine the motives for hacking, and simple ways you can protect your web site.

Hacking is now an epidemic. It would be a mistake to assume that it is only big companies being targeted. A vulnerability assessment by Symantec found that 25% of web sites tested had critical level weaknesses.[2]

one

 

From Symantec Internet Security Threat report. [6]

What is hacking and why does it happen?

Hacking is actually a threat neutral activity, and describes the process of examining and modifying computer code. Facebook famously has a “hacker” culture. [3] However, this curiosity is often directed at malicious activity, and a sub-culture of nefarious hackers has developed. We will concern ourselves in this white paper only with malicious hacking.

 

So who are the hackers? Hackers vary from individuals operating out of their homes known as script kiddies, through to state sponsored cyber terrorism.

“The biggest threat to this country by cyber is not military, it is economic,” Maj Gen Jonathan Shaw, head of the Ministry of Defence’s cyber security programme.[1]

Their motivations includes curiosity, commercial gain, political and ideological propagation. Common hacks include:

Modifying web site content – adding links, pictures and text often offensive in nature.

Malware – adding script to pages that exploit loopholes in the browser to infect a web visitors computer. This then leads to further hacking of the target machine to steal passwords or financial information. The following graph chart illustrates the most common types of sites to be infected with malware:

dangerous web sites

Data capture – stealing commercially sensitive information including customer data and business critical information.

Data loss – the complete destruction of web content and data.

“In a recent instance, a firm in Warrington, Cheshire, that designed a revolutionary blade for wind turbines went bust after hackers stole the blueprint and produced a cheaper version.” – Telegraph Online. [1]

Bot-net – a specific type of malware that takes over the server to use it in attacks on other web sites such as the denial of service attack on Visa and Mastercard. [7]

attacks per day

 

From Symantec Internet Security Threat report. [6]

Hacking tools are readily available online to download, and web sites supporting hacker culture abound.

Types of exploits

So how is your business web site vulnerable?

Server vulnerabilities – loopholes in the software that web servers run allow a foothold for hackers. Most web hosting companies patch these holes with software updates on a regular basis.

Password vulnerabilities – passwords allow access to your web space, hosting control panel, FTP (file transfer protocol) system, and web admin areas. Poor passwords akin to leaving your house or car unlocked and can lead to a chain of events that can be devastating for an individual or business, as discovered by Mat Honan of Wired.com. [5]

“SplashData, a password management software developer, revealed its annual list of the 25 most common passwords. No.1? Password!” – Digital Journal[4]

Web application vulnerabilities

Web sites can either be static or dynamic. Static web sites are essentially like a magazine page. They simply present information in a specific fixed layout. These are generally quite (but not completely) secure. Dynamic pages are “alive”, guided by a computer program running on the server. These pages are very vulnerable to attack. Common dynamic web applications include Joomla, WordPress, and Oscommerce, but just about  every web site includes some element of dynamic code to handle contact forms and search boxes.

What must you do?

Have a professional assessment of your web site’s vulnerability.

If you run your own server, update the software regularly. Consider switching to a secure hosted solution like technologi.st/hosting

Make sure all passwords are strong, and change them periodically. Do not use recognisable names, but include upper and lower case characters, numbers and symbols. Consider using a strong password generator and store the passwords somewhere safe.

Keep web applications up to date with the latest software patches and updates. If you use an open source solution, these updates will be available on a regular basis. Ensure that you stay up to date.

Install a web firewall. A web firewall inspects all activity on the server, and has the ability to block anything malicious. It provides protection from attacks that might affect old or weak web applications, plus “zero day attacks” which are exploits so new that they have not been patched.

Scan your web site for malware on a daily basis.

Backup your site. Having a recent backup of your web site and associated databases is an essential part of your operational security. In the event of a zero day hack or technical failure, the backup can save hours, days or weeks of work.

If you are in any doubt about your site’s security consult an expert.

References:

[0] Sony: http://www.bbc.co.uk/news/technology-21160818

Apple & Facebook: http://thenextweb.com/apple/2013/02/20/how-an-apple-developer-site-led-to-hacking-of-apple-and-facebook-without-the-owners-knowledge/

Twitter: (multiple account hacks: http://j.mp/XEEi2B)

[1] http://www.telegraph.co.uk/technology/news/8845100/Foreign-hackers-putting-UK-firms-out-of-business.html

[2] Symantec – The Vulnerability Knowledge Gap Whitepaper. 2013.

[3] http://www.information-age.com/technology/applications-and-development/1689138/facebook-ipo-reveals-hacker-culture

[4] http://digitaljournal.com/article/335497#ixzz2LcVBoLnq

[5] http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

[6] http://www.symantec.com/threatreport/

[7] http://www.independent.co.uk/news/uk/crime/anonymous-hackers-jailed-for-ddos-attacks-on-visa-mastercard-and-paypal-8465791.html

No comments

Jeremy Webb

Chief technologi.st & Adventurer about.me/jeremy.webb

Jeremy WebbHacking: motives, methods and how to protect your web site.

Related Posts