In Spring of 2011, I was hacked. What followed was a full week of tracking down injected code and restoring backups.
Let’s start from the beginning. Our team was shoulder deep in creating a fully managed and customized MLS site for a multi-million dollar client, and our coders and designer were full bore with a completion date on the horizon when we started getting strange reports from IIS (Microsoft’s Internet Information Services). The reports indicated that there was a process that I did not recognize running on my server – an alien entity we did not create, and was making and serving requests to and from users on the Internet.
What would a hacker or group of hackers possibly want with my server? I had a pretty good idea, but since this was my server, and these were my websites, I set out to be specific.
1. To Create a Botnet or Zombie Node
Hackers or malware developers will set out to create a network of “zombie” nodes which are computers that have malicious software running in the background to facilitate broader attacks on their own list of targets. Think of it as a CPU farm – companies that are in the graphics processing business, like ILM (the people responsible for Avatar’s amazing CGI) use CPU farms to process the huge, demanding computer graphics for the film. A CPU farm is simply a warehouse of computers linked together over a high speed network to crunch numbers. The more CPU cores that are in the farm, the faster each “number” is crunched.
In the same way, hackers use “zombie” computers to carry out DDOS attacks. The more zombies they have, the more effective the attack is. In Christmas of 2014, “Lizard Squad” used thousands of zombie nodes to bring down Playstation Network and XBox Live on Christmas day. See that report here.
2. The use Your Computer as a Proxy
Real hacking, like the type you see in the movies, doesn’t exist. Or, more specifically, it’s not glamorous, and it takes 100x longer in real life than it does in the movies. People who are out to get real information like credit card info, personal data, bank accounts, also want to cover their tracks. To do this, they will use a compromised computer or website as a proxy. Once their proxy is set up on your web server or computer, they will piggy back their connectivity through you, then on to another proxy, and another. This makes it difficult to track where they physically are.
3. For Bragging Rights
Some hackers are just in it for the glory. While that’s essentially not OK, these hackers do in fact expose exploits in legitimate systems and leave their “calling card” for system administrators to see. The professional and legitimate name for these hackers is “white hat hackers”, and are sometimes employed by the people they hack… however, prosecution is a more likely outcome for these people, assuming they are identified.
So, what can I do to prevent my website from being hacked? Understand that no matter how tight your security is, people who spend their days seeking security holes and exploits inevitably will find a way in – not always, and not without gigantic amounts of effort, but it does happen. That’s why software providers like Microsoft are continually pushing updates to your PCs and web server. Eventually a security loophole will be found, exploited, and fixed.
1. Use Complex Passwords
I can’t tell you how many times I’ve gotten passwords from client that amount to “1234567”. C’mon people, you’re better than this.
2. Use Dual Authentication
A two step authentication process is a huge brick wall to hackers. Using a complex password and a mobile device to authenticate to your website is a great step toward keeping your site secure.
3. Secure URL variables
Parameterize your URL variables. Open ended SQL URL variable are easy to exploit.
4. Use Server-Side Validation
Client side validation is great, but having your website send requests back to your web server for validation is far more secure.
5. Use SSL
This is a no brainer. SSL (Secure Site Listings) makes sure all data passed between the client and the server is consistent and unmodified.
The next question you should be asking is “Is it worth all this effort? If you’re operating a not programmatic, static HTML website, one that can be backed up and restored easily, then you may be pulling too much overhead for the result you’re looking for – however, I will always advocate for better security.