Posts from August 2012
Having your website hacked can be a devastating experience, and unfortunately for you, hijacked websites can be very useful tools for criminals. Hackers may want to use your site to propagate viruses, steal your customers’ information, or commit other crimes – and it’s not as far fetched as you might hope or think.
In this “Protecting your website” series, I’ll be taking you through the ways that you can protect your site. This week we’ll focus on password security.
Your FTP and/or SSH credentials are the keys to your kingdom. Guard them well!
Have you ever used the same password for more than one site?
If we look back over just the last couple of months, the volume of passwords that have been stolen from sites such as LinkedIn, Gizmodo, Yahoo! and others is huge. Use the same password on more than one site, and you’ve hurt yourself more than you can imagine.
Of course, choosing a different password for every different site is not an easy thing to do by yourself. Eventually you’ll find yourself writing the passwords down and this is clearly not a great idea!
Fortunately there is a solution: Sign up for a service such as LastPass which can be used to generate passwords for every site you visit, and store them in an encrypted file.
Stealing passwords with a virus
Unfortunately there are several other ways an attacker can steal your password. A common way is by using a virus, which can read your keystrokes as you unwittingly type your password in. Other viruses can look at the information your computer keeps to ‘remember’ your passwords, so you don’t have to re-type them.
To protect yourself against these problems, always:
1) Ensure you run up-to-date virus scanning software. If you’re running Windows, you could download Microsoft Security Essentials or AVG, which are both free and will protect you well. If you’re running on a Mac – don’t be complacent. Macs have now become popular enough to be legitimate targets for viruses.
2) Be wary of logging into your site on someone else’s computer. Not sure what’s been downloaded in the past? Using a computer owned by someone who’s not particularly clued up? It’s probably best to steer clear!
3) Change your password frequently. Especially if you’ve had the misfortune to avoid the advice in (1) and (2)! If your password is out of date before an attacker has a chance to use it – you’re winning again.
4) If you’re running an old copy of the Internet Explorer browser, upgrade it now. There are a number of attacks that are specifically targeted at Microsoft’s infamously insecure old browser versions. Better yet, download the most secure browser available – Google Chrome.
Stealing passwords by sniffing
FTP does not protect your username or password when you access your website’s files. If an attacker has control over any of the machines inbetween your computer and your server, they can see your username and password floating past. This eavesdropping activity is known as ‘packet sniffing’, and is a relatively trivial exercise.
Have you ever sent passwords in an e-mail? Again, it’s very easy to read e-mails as they fly around the Internet.
Think of it as sending a postcard with your secret information in plain sight as it goes through the sorting office.
To avoid this, wherever possible, use SFTP rather than FTP to connect to your site. SFTP uses SSH to communicate, which is secure (as the name “Secure SHell” suggests). And never send passwords around in an e-mail!
Brute force attacks
Even if you manage to avoid your password being stolen, another way hackers can get into your site is through an attack known as ‘brute force’. Such an attack typically involves cycling through a list of possible words (such as a dictionary) until the attacker is let in.
To protect yourself against this form of attack, make certain you choose a ‘strong’ password. Conventionally, a strong password is never just a single word that could be found in a dictionary or book of names.
Mix up your password with symbols and numbers.
Remember that LastPass site I mentioned before? It’ll generate you a strong password with a click of the mouse, and remember it for you.
Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.