Online businesses rely on work all the time, 24/7. Customers expect total reliability from their favorite online stores, games and forums. Nothing can be worse for business than to be unavailable. This is even worse if it is because data was compromised. Now more than ever, cyber security is one of the most pressing issues facing online development. Watch our video to learn about the methods that hackers use to get into your system, and what you need to do to protect your valuable data.
End of testing. Two more to go.
Let’s talk website security.
Why do people want to hack your website?
I went through university with a gentleman who was very good at hacking. He did it because he was bored. He was in a course that didn’t challenge him and he would go in and hack sites and not break anything. He would just leave little messages, like “fix up your website security”. He was just bored, he was looking for a challenge. Other people are certainly looking to cause havoc.
The most common case that we see is to use your site for a purpose. A lot of times, if you’ve got a promotional website, if I hack that website, I can put up something defaming; but what does that do for me? What I would rather do is have control of that website and be able to do other stuff with it.
Denial of service attack
Let me give you two examples. One is, if I can take control of 10,000 websites, I can use those websites to make requests of other websites. So I’ve nefariously taken over website A, I can use it to make a request of website B. If I’ve got website 1 to100,000 and the Australian Bureau of Statistics is running the census and I want to give them a headache, I can take over a whole bunch of websites. All they’re doing is saying “look at me, look at me” and that website just can’t load a page for all of those people simultaneously. That is called a denial of service attack and it is a common reason people do this.
Password reset scams
Another sort that we see, is there anyone here that has had an email that says we’re from the National Australia Bank? And you don’t happen to bank with the National Australia Bank, but you get an email from them saying, “there’s a problem, you need to reset your password”. It sends you off to a website and you put in your new password, you reset it to what it was and then all of a sudden you’re broke and they take your money.
The people doing that don’t want to go and buy a hosting account. If they had to buy a hosting account, they would have to use a real credit card and the police could find them. What they do instead is take over your website and you might not even know. They might just put in a little sub directory somewhere and what they do is put up a page that looks like the National Australia Bank, they send the links to it and assume a reasonable number of people don’t actually check the URLs on their browsers any more. You put the details in, it looks exactly like the NAB, you shoot an email off to them and now they’ve got your bank details. Being taken over, that is another thing that hackers do.
Thirdly, they want to steal your data, they want to steal credit cards, they want to steal passwords. The passwords that people use on your website, a large proportion of those are also used on Facebook and other places. If I can get into your Facebook account, I’ve got a pretty good chance of committing identify theft against you. I can find out bits and pieces, I can do a whole bunch of activities that can allow me to get at you.
How do they do it? They breach security and a lot of that comes down to outdated software. Let me give an example. WordPress is great. It’s a really good package, it has a lot to offer. It has incredible functionality for free when you think about it. But one half of today’s websites in the world are going to be built in WordPress. So do you think there is a platform that hackers are looking at every day to try to find an angle in? If you’ve got a WordPress site, you might think, it mustn’t be good on security. No, it’s actually pretty good on website security, it’s just that it’s being examined so closely because it is such a big target.
What happens is when a vulnerability is exposed, it spreads around the internet, everybody knows about it and we all run our updates and there is good automatic updating material in WordPress these days. But if you’ve got an old version of WordPress, and this can happen in all different platforms as well, that’s where people get in. We’ve certainly seen that. They do a denial of service attack where they get lots of taken over machines to throw a bunch of traffic at you. We had this happen to our clients. We’ve had clients with denial of service attacks against them.
We had one that came out of India and one of the techniques we used was we blocked all traffic from India. They didn’t sell a thing to India. They blocked all traffic to India, the people went away and we were ok.
The last one, if I was going to be a hacker, this is how I would do it. I would use social engineering. I’d get on the phone and I’d tell people a sob story about the password that I’d forgotten. I have no intention of being a hacker but social engineering is using your words, using your ability to talk to operators. So please don’t get irritated with the people who validate you when you ring up whatever institution it is. Those people are absolutely doing you a favour as annoying as it might be. In fact, be worried if you can get to your personal information with any organisation and they don’t pre-screen you, that is a problem. You want to be pre-screened.
How to protect yourself and your site
Protect yourself, use good passwords. A good password is long, has different things in it and it is easy to remember. A computer could hack that password faster than it could hack that one. So I could use what is called a brute force attack, that is getting one computer to simply try again and again. Long passwords that are easy to remember are much better than short passwords even if they have got obscure characters in them. You want to use unique passwords.
My parents find this very difficult. The reason is they just don’t want to remember lots of things. You know what? I don’t want to remember lots of things. So I use password management software. There are really good things that are free out there now. My password for Facebook is not the same as twitter, is not the same for any of the other things.
I happen to live in the Apple eco system. There is a paid one called One Password that I particularly like. There is another one called Last Pass which works in a broad range of areas. It’s good. They have to hack your platform to get at it. So use unique passwords.
Protecting your site. You don’t want to hold valuable data. There is no reason today to hold credit cards. You want to use one way password encryption. We do this for you. If you can get your password back out in plain text from a system, there is a problem. You should never be able to do that.
In WordPress, just change the URL of your admin website. If you can go to yourwebsite.dot.com.au/wp-login.php, that is the standard location, you can change that URL. You then have instantly knocked out ninety percent of the problems that you’re going to experience.
Go lightly on plug ins. Plug ins are additions you can get into WordPress. Some people just go crazy and it’s often a plug in that gets exploited. For a lot of our clients, we now host their promotional websites separately to their application. So if their promotional website is exposed, all they can do is defame the website. They can get nothing of real value.
You want to confirm you have working backups, a local hosting provider. I had the challenge recently, their servers all got taken down and they discovered at that point that none of their backups worked. They had to call all their clients and say we lost your site and lost your backups.
One of the things we’ll often do is for our services, just buy a cheap and nasty hosting account somewhere else. We have a little nightly process that takes all the latest material and just dumps it every night. We’ve never had to use it, we’ve got the hosting backup, that’s what we would actually use. But if the hosting company got taken out in its entirety, we’ve got a little cheap backup happening at a second level.
There is really good monitoring to tell you about problems now. NewRelic is a platform that we really like. I just want to give people a question. This is a random question you can ask of any developer and say, “what do you do about SQL Injection attacks?”. If you just ask that, if you get people looking back with glazed eyes, run. First year developers know the answer to this question. This is a really easy one to test any developer.
If you’re worried, you can look like an expert by typing in the name of your technology – WordPress, Django, whatever it is – then ‘security checklist’, these things are published all over the internet.
So, you can understand how important it is to protect your data and protect your website. Hacks can happen at any time and for no personal reason. Most often, an attack is the result of someone who is trying the same thing thousands of times to everyone’s site. They’re just randomly looking for weaknesses to exploit. Make sure to do your homework and protect your data from websites to passwords, so you are not overtaken by surprise.
Do you need help with your online security while in development on an important project? Don’t hesitate to get in touch today. We’re looking forward to hearing from you.