Posts from September 2012


Steve Protecting Your Website #2 – Script Exploits

Last time we looked at password security, so let’s take a look at another set of tools in the criminal’s toolbox – exploits.

What are Exploits?

Open Padlock

Exploits are security problems that allow an attacker to do things with your site that you didn’t intend them to. In the real world, picking a lock could be considered an “exploit” as it allows the picker to access something they shouldn’t.

If you run a simple website which only shows the same content over and over again (e.g. it just has html and image files) then you’re relatively safe. Unless an attacker can exploit your web server, then you’re probably out of harm’s way.

However, the moment your website starts doing things with scripts and/or a database, you have to be far more careful. If an attacker can make your scripts do things you weren’t intending, they can potentially do some of the following:

1) Access information on your database which they don’t normally have access to:

Imagine if an attacker got hold of your customer list – this could potentially land you in trouble with data protection agencies. Not to mention the problems with your customer list being spammed.

Or perhaps they download your users’ usernames and passwords?  Now, we assume that there isn’t a list of unprotected passwords in your database – but even when encrypted or hashed, recent hacks have demonstrated that even these measures can be overcome.

Again, you shouldn’t be storing credit card information unencrypted, but if a hacker was to get hold of your customers’ credit card details, you could find your bank’s merchant facilities withdrawn.

2) Update files within your website:

An attacker could simple redirect your customers to their own websites.  If they were in a malicious mood, they could deface your brand.  Or without you even becoming aware, they could illegitimately improve their own search engine rankings by placing back-links  within your website.

3) Launch attacks on other servers:

Once your site is hacked, it can become a useful stepping stone to carry out attacks elsewhere on the Internet. If such an attack were ever traced back, it would appear to come from your site, rather than the real culprit’s.

4) Use your website to host illegal material:

I don’t think I really need to describe the sort of files criminals would like to store.  Needless to say, you don’t want it associated with your site!

These are just some of the things they can do – but the list is endless.

That said, let’s have a look at some of the things you can do to protect yourself.

Old Versions of Blog, Shopping Cart or CMS Software

Wordpress Upgrade Box

The most common threat to your website comes by running old copies of off-the-shelf software (such as the popular blog software: WordPress). Because they are installed on so many websites, they are a very attractive target for hackers. To counteract this problem, these systems are updated frequently to fix security holes.

If you run any downloaded (or pre-installed) software on your site, you must ensure it is up to date, otherwise you could be at risk. This applies to the main piece of software, as well as any plugins you might be using.

If you’re a WordPress user: Log into your admin area (I trust you have read our last post about password security) and make sure you don’t see any alerts asking you to upgrade.

Current vulnerabilities are held on public lists – so if you’re not up to date, it’s fairly trivial for an attacker to exploit your out-of-date website.  Here is a list for WordPress:

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html

Free Plugins / Themes

If you’re using any plugins that you downloaded for free from the Internet, make sure that they don’t create security vulnerabilities in your site. Be suspicious! In general, the more popular a plugin, the more likely it’s been scrutinised by someone who knows what to look for – but this is by no means a hard-and-fast rule.

If someone wants to create a back door into a large number of websites, all they have to do is to create a popular ‘free’ plugin – and wait for unwitting website administrators to install it.

Even WordPress themes can create holes in your site’s armour. Be wary.

If in doubt – go without!

Database Permissions

Your website runs as a specific user on the server it lives on. It also connects to your database as a specific user. If this database user has the power to drop tables in your database, then so does a hacker that manages to exploit your site. Consider how many database permissions your website really needs – does it really need to be able to alter tables on your database? Probably not.

Security Through Obscurity

If you wrote your own scripts, or someone did it for you, you might think that you’re safer than someone who uses an off-the-shelf piece of software. After all, if a hacker works out how to exploit an old version of WordPress, he can expect to be able to hack many websites in one go.

Now, whilst this might be true, there are a number of very common attacks that apply to a lot of bespoke website scripts.

If this applies to you, make sure you or your developer have a good understanding of common vulnerabilities.  Here is a list to get you started:

http://www.computerworlduk.com/how-to/infrastructure/424/the-top-10-web-vulnerabilities-and-what-to-do-about-them/

Much, much more!

We’ll revisit this topic in future, as there is far more to cover. If you have any requests, please let us know in the comments!

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.