Imagine how mortified Burger King was when it reviewed their home page one day in 2001 and saw a parody of the McDonald’s Web site placed there by hackers. Picture similar despair at Microsoft, Intel and The New York Times, each hacked and reduced to the communication whims of criminals.
Perhaps the site owners got off easy in these high-profile instances. A defaced home page is easy to spot and simple to fix. What’s far more dangerous is an attack designed to avoid detection. According to Christopher Boyd, director of malware research at FaceTime, a Foster City, Calif.-based enterprise security solutions provider, these attacks are much harder to identify. “We’ve seen sites hosting malicious files for over a year before something has been done about it,” he says.
Furthermore, these stealth attacks have the potential for much greater harm than simple graffiti. A popular attack involves using a Web site to host hidden iFrames that download malware files from the Internet. “Often, the people behind these attacks are involved in illegal pornography, so it’s essential that Webmasters have a good idea how serious an attack could be,” Boyd says.
According to a recent study released by the security firm Sophos, there are an estimated 450,000 Web sites that are infected with malicious code. These attacks can be costly for Web site owners.
Here are some methods to ensure your site is truly your own and not owned.
Keep Your Cards Close: Hackers aren’t lazy criminals looking for loose security — in some cases they are a well-coordinated team launching a planned attack on a specific Web server. Stefan Dietrich, the chief technology officer at New York-based Childs Capital, recalls fighting off a break-in attempt by a group of at least five people based in a university lab in South Korea. “When I looked into the attack, it turned out that they had been testing the server’s security weeks before they actually started the attack,” he says.
His recommendation is to harden the environment to reveal as little information as possible. For example, standard Web servers are configured to reveal the version number of the Web server. This should never be the case in a business system. This information helps hackers by allowing them to launch targeted attacks against known weaknesses of that specific version.
Keep It Updated: Keep your Web server (Apache or Internet Information Server) and the operating system up to date with all patches. It could be a huge mistake to forgo security patches while waiting for the next stable version release.
Choose a Hosting Provider Carefully: The majority of hacked sites are hosted by a third party. If you outsource your Web hosting, your hosting provider’s security measures are a huge factor. “I can’t stress enough to check out what people say about the security of the host you’re planning on using beforehand,” Boyd says. “Sometimes it’s better to pay a little more for solid protection than to cut costs and be faced with cleaning up a serious breach a few months later.”
With hosting packages running the gamut from $10 to thousands per month, choosing a host is a tough decision. Conducting Internet-based research is a good idea, but remember that hosting companies pay attractive affiliate fees, so often those hosting review sites will recommend the providers that pay them the most. Seek advice from peers and respected IT publications, using feedback in popular forums such as SitePoint and Digital Point to fill in the gaps.
Know What’s Out There: “It’s incredibly important that Webmasters keep up with the latest malicious code threats or zero-day threats that could directly affect them,” says Ron Teixeira, executive director of the National Cyber Security Alliance, a nonprofit organization dedicated to security awareness for home users and small businesses. The United States Computer Emergency Readiness Team provides Webmasters and small businesses with free alerts on new malicious codes spreading on the Internet, available at www.us-cert.gov/cas/alerts.
It’s important to share this information with the team. Anyone who comes close to your Web server should have a good understanding of common intrusion methods and some knowledge of how to spot a hacking attempt.
Use the Right Toolset: There are numerous tools to help you keep a close eye on your Web server. These can detect changes to pages, file size and MD5 strings, and then send you a notification if suspicious activity is detected.
A great list of 100 top-rated security tools (both open source and commercial) is available at www.sectools.org. There you will find a full set of sniffers, network probing utilities and many other useful applications to help track down network problems or monitor activity.
Try Your Hand at Hacking: If you’re eager to truly understand what you’re up against, there’s no better way to learn about hacking methods than to dabble in black arts yourself. Now, we’re not suggesting you deface your competitor’s home page — you can test your Web server’s security using a production site or demo site created for security testing purposes.
To gather some of the nasty bits of code that hackers use, you don’t need to scour the dark corners of the Internet. The Metasploit Framework (www.metasploit.com) is a development platform for developing and testing exploit code. Here’s the best part: It includes hundreds of exploits used by hackers every day that you can employ against your own site in a controlled test.
Have an Emergency Plan: Contingency planning is generally a thankless task that ranks low on to-do lists, but a small amount of planning can do a great deal to minimize the impact if your site is hacked. Of course the circumstances of the intrusion will in part dictate the required response, but Web site owners can take some preparatory measures. For instance, you can open a line of communication with your Internet service provider on what to do if you are a target of a denial of service attack. Do they have an emergency contact available 24 x 7 whom you can call in case of an emergency? If you outsource hosting, what are your hosting company’s processes for handling intrusion attempts? What escalation methods are available?
So You’ve Been Hacked: If the worst happens, keep your head. Don’t rush in and delete all the offending files. First, back everything up before cleaning out the offending hijack. Contact your host to tell them they’ve been compromised. Remember that the offending files in some cases provide valuable information about the identity of the hackers and can be used by law enforcement to track them down.
Boyd says it’s important that you insist that your host move you to a different server while they fix the mess. “If they hacked your site, it’s entirely possible they hacked others or even gained control of the entire server.”
Finally, you should always contact your local law enforcement when such an attack occurs.
Dan Skeen is director of search engine marketing for Quarry (www.quarry.com), a communications agency in Waterloo, Ontario.