“Secure Enough” for What?

When you tell yourself, or a web professional that the site is secure enough , you accept a lot of risk without really understanding the consequences.

When we speak to people about website security, they often respond with concerns about payment fraud, and identity theft. Users try to address those problems by using third-party payment gateways or externally hosted shopping carts. Those users miss real security risks because they make the mistake of trying to scale headline news stories to their own small businesses. If they are so small, then why would they be a target?

A Different Game

“Why would anyone want to hack my website,” you say to yourself. ” I don’t even store personal identifying information on my website. There’s nothing to gain from hacking my website.” True enough, but you missed the real reasons that someone wants your website. I had designed websites since 1992 but only started hosting in 2003. back then, I still believed those reassuring stories about my security.

Fool Me Once, Shame on You

We now prevent everything I’m about share, but like a neighborhood watch, we still rely on user observations to prevent the unforeseen.

One night I watched a hacker from Brazil defaced my website while I watched. My introduction to script kiddies had begun. At the time, we had a live chat feature on our website and it tracked the user he moved from page to page until he found exactly what he wanted. The next thing I knew, they defaced my website. My page displayed unfriendly content about the USA along with skulls and self glorifying statements about how this person was the greatest hacker of all time. My education launched at a running pace.

What if they already stole the credit cards?

One client faced that scenario from an IP in West Africa. Orders were never completed, but each order started and progressed to the stage of entering credit card data. His bank charged him for every card number verified. The scammer nickled and dimed him into a slow froth. We identified the IP range and blocked it. Then they moved to another IP range in another country. Eventually we had everything locked down tight. The problem presented to us was manual input. Manual input made the otherwise normal behavior hard to block. How would we know manual input from automated input? All the user names were adjacent letters on a qwerty keyboard, ljlj and fdsd.

Losing a day’s productivity is bad enough and being bled one drop at a time with bogus charges is no picnic either. That’s not the worst of it. If you feel “secure enough” you could miss the real threat. Everything, including perspective changes over time. Many people treat their websites like a home in the country or a small town where you know every neighbor. Things have changed since my first page written in HTML in 1991. Our network represents a nice neighborhood, but we pay a cost to preserve that feeling, for very good reasons.

They Want Your Website

Your site represents a great target because of the of the value it offers to illicit operators. Most attacks target servers with good reputations. Like the criminal who covers his tracks by operating out of an upscale neighborhood, hackers seek out servers with good reputations to exploit for spam and phishing.

Real time Black Lists (RBL) represent one of the key tools to protecting users from spam. When servers start to spew spam, they get listed on any number of RBLs, like http://multirbl.valli.org/. Websites and email get blocked quickly this way. Getting listed can mean having all of your email banned for 24 to 72 hours depending upon the list and how you manage the incident. In an environment like ours, one bad incident can block hundreds of email users.

Ever get that warning from your browser that it doesn’t trust a page? Someone thought they were secure enough that they didn’t need to update their content management system, like WordPress or Mambo. Hackers subsequently placed a hidden website inside the unsuspecting owner’s site. It might look like a bank or day trading company site, or even Amazon.com. The fake site has a login screen, then it might even forward you to the real website, so you never know that you gave away your login.

We see attempts at phishing and variations on hacked email or spam programs embedded in websites. We run multiple firewalls and file scanners on the servers, websites and email. From time to time a legitimate website owner or developer gets blocked, not for any fault of theirs. We can usually fix that in minutes. Users who believe in “safe enough” still pose the biggest threat.

Most users ignore website updates because they think it’s complicated or expensive. That’s no longer true. Newer content management systems update themselves with a single click. As an Installatron hosting partner, LyonsHost also offers an option for completely automated software updates. Installatron also updates your plugins for you so most updates happen without the user getting involved.

Hopefully you won’t settle for “secure enough” any longer. If you need a hand, please contact Barbara or Jonathan.