Webmaster Advice


Steve When is a Backup Not a Backup?

SafeAt Backup Machine we cater for customers from all manner of different hosting companies.  Our aim is to be a universal system for all website owners, disconnected from the company and server systems of their selected hosting providers.  A fail safe in a time of need.

However, one type of website is out of our reach: The “Website Builder” website.

Website builders let you create a website, on your own, through the web.  You know the ones – “Choose your colours, choose your menus and widgets, type your content, etc.”

These systems have incredible appeal – you can often get a good looking website up and running incredibly quickly, and without any technical skills.  But beware!  Unless you have access to your website’s files and database, you are stuck with your provider.  There is usually no effective way for you to move that website elsewhere should you want to or need to.

Recently a customer contacted us regarding one of these sites. They had been told by the website builder company to use “HTTrack Website Copier” to run their backups, should they wish to take a copy themselves.

Do not be fooled!  HTTrack will take a copy of your website in the same way that taking a photo of your car is a copy of your car.  It might look like your car, but none of the controls will work, and you’ll certainly be late for work if you try to use it.

HTTrack will not copy the necessary nuts and bolts to make your website ‘work’.  Your backup might contain a copy of the content of your blog posts, but you won’t be able to post anything new and none of the other dynamic content on your website will work.

If you want to be able to run your website anywhere, you need access to your website’s files and its database.  Without this, you’re stuck with your current provider, and you must make sure you’re satisfied with their backup arrangements.

Steve Getting Away with a Terrible Mistake thanks to Backup Machine!

Have a look at the following Tweets.  Feel sorry for these folks for a while and then ask yourself: If you did this to your site, would everything work out fine?

Overwriting Files

 

We hear these sorts of stories frequently at Backup Machine, although usually there’s a sigh of relief and a huge “Thank you!” in conclusion.  You never know when you’ll be over-tired, distracted, or just unlucky and click the wrong button.  Let us help you make sure you can get away with it!

Steve Evernote hacked! Change your passwords.

Here at Backup Machine, we’re great fans of the popular, note-taking service Evernote

Evernote

Unfortunately, their systems have just been compromised

… leaving the possibility that a criminal group has got a copy of your username and one-way-encrypted password.

So if they’ve used one-way encryption, what’s the problem?

One-way encryption (hashing) is a great idea, and we use it at Backup Machine too.

However, even with a hashed password, it’s possible (with enough time and processing power) to find its original value.

What should I do?

First of all, if you use Evernote – change your password there: http://evernote.com/corp/news/password_reset.php

Hacks like this serve as a reminder for us all to choose a separate password for every service we use.

Your own website’s FTP, SSH and Database passwords are doubly important to protect in this way.  You don’t want to have to change all your different passwords in a hurry when you think you’ve had your credentials compromised.

Help, I’m trying to remember too many passwords!

Of course, these days we all use many online services – and some of us have to choose usernames and passwords for our own services as well.  How do you keep track of them?

We use password management services such as:

These will not only store your many passwords in an encrypted file, but will help you to generate a new password for each site – ensuring a suitable password complexity, and randomness.

2-factor Authentication

An even better way to protect your services is to use 2-factor authentication.  We’ll cover this in more detail in our next blog post.

Steve Protecting Your Website #2 – Script Exploits

Last time we looked at password security, so let’s take a look at another set of tools in the criminal’s toolbox – exploits.

What are Exploits?

Open Padlock

Exploits are security problems that allow an attacker to do things with your site that you didn’t intend them to. In the real world, picking a lock could be considered an “exploit” as it allows the picker to access something they shouldn’t.

If you run a simple website which only shows the same content over and over again (e.g. it just has html and image files) then you’re relatively safe. Unless an attacker can exploit your web server, then you’re probably out of harm’s way.

However, the moment your website starts doing things with scripts and/or a database, you have to be far more careful. If an attacker can make your scripts do things you weren’t intending, they can potentially do some of the following:

1) Access information on your database which they don’t normally have access to:

Imagine if an attacker got hold of your customer list – this could potentially land you in trouble with data protection agencies. Not to mention the problems with your customer list being spammed.

Or perhaps they download your users’ usernames and passwords?  Now, we assume that there isn’t a list of unprotected passwords in your database – but even when encrypted or hashed, recent hacks have demonstrated that even these measures can be overcome.

Again, you shouldn’t be storing credit card information unencrypted, but if a hacker was to get hold of your customers’ credit card details, you could find your bank’s merchant facilities withdrawn.

2) Update files within your website:

An attacker could simple redirect your customers to their own websites.  If they were in a malicious mood, they could deface your brand.  Or without you even becoming aware, they could illegitimately improve their own search engine rankings by placing back-links  within your website.

3) Launch attacks on other servers:

Once your site is hacked, it can become a useful stepping stone to carry out attacks elsewhere on the Internet. If such an attack were ever traced back, it would appear to come from your site, rather than the real culprit’s.

4) Use your website to host illegal material:

I don’t think I really need to describe the sort of files criminals would like to store.  Needless to say, you don’t want it associated with your site!

These are just some of the things they can do – but the list is endless.

That said, let’s have a look at some of the things you can do to protect yourself.

Old Versions of Blog, Shopping Cart or CMS Software

Wordpress Upgrade Box

The most common threat to your website comes by running old copies of off-the-shelf software (such as the popular blog software: WordPress). Because they are installed on so many websites, they are a very attractive target for hackers. To counteract this problem, these systems are updated frequently to fix security holes.

If you run any downloaded (or pre-installed) software on your site, you must ensure it is up to date, otherwise you could be at risk. This applies to the main piece of software, as well as any plugins you might be using.

If you’re a WordPress user: Log into your admin area (I trust you have read our last post about password security) and make sure you don’t see any alerts asking you to upgrade.

Current vulnerabilities are held on public lists – so if you’re not up to date, it’s fairly trivial for an attacker to exploit your out-of-date website.  Here is a list for WordPress:

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html

Free Plugins / Themes

If you’re using any plugins that you downloaded for free from the Internet, make sure that they don’t create security vulnerabilities in your site. Be suspicious! In general, the more popular a plugin, the more likely it’s been scrutinised by someone who knows what to look for – but this is by no means a hard-and-fast rule.

If someone wants to create a back door into a large number of websites, all they have to do is to create a popular ‘free’ plugin – and wait for unwitting website administrators to install it.

Even WordPress themes can create holes in your site’s armour. Be wary.

If in doubt – go without!

Database Permissions

Your website runs as a specific user on the server it lives on. It also connects to your database as a specific user. If this database user has the power to drop tables in your database, then so does a hacker that manages to exploit your site. Consider how many database permissions your website really needs – does it really need to be able to alter tables on your database? Probably not.

Security Through Obscurity

If you wrote your own scripts, or someone did it for you, you might think that you’re safer than someone who uses an off-the-shelf piece of software. After all, if a hacker works out how to exploit an old version of WordPress, he can expect to be able to hack many websites in one go.

Now, whilst this might be true, there are a number of very common attacks that apply to a lot of bespoke website scripts.

If this applies to you, make sure you or your developer have a good understanding of common vulnerabilities.  Here is a list to get you started:

http://www.computerworlduk.com/how-to/infrastructure/424/the-top-10-web-vulnerabilities-and-what-to-do-about-them/

Much, much more!

We’ll revisit this topic in future, as there is far more to cover. If you have any requests, please let us know in the comments!

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.

Steve Protecting Your Website #1 – Password Security

Having your website hacked can be a devastating experience, and unfortunately for you, hijacked websites can be very useful tools for criminals.  Hackers may want to use your site to propagate viruses, steal your customers’ information, or commit other crimes – and it’s not as far fetched as you might hope or think.

FTP Login BoxIn this “Protecting your website” series, I’ll be taking you through the ways that you can protect your site. This week we’ll focus on password security.

Your FTP and/or SSH credentials are the keys to your kingdom. Guard them well!

Reusing passwords

Have you ever used the same password for more than one site?

If we look back over just the last couple of months, the volume of passwords that have been stolen from sites such as LinkedIn, Gizmodo, Yahoo! and others is huge.  Use the same password on more than one site, and you’ve hurt yourself more than you can imagine.

Of course, choosing a different password for every different site is not an easy thing to do by yourself.  Eventually you’ll find yourself writing the passwords down and this is clearly not a great idea!

Fortunately there is a solution: Sign up for a service such as LastPass which can be used to generate passwords for every site you visit, and store them in an encrypted file.

Stealing passwords with a virus

Unfortunately there are several other ways an attacker can steal your password.  A common way is by using a virus, which can read your keystrokes as you unwittingly type your password in.  Other viruses can look at the information your computer keeps to ‘remember’ your passwords, so you don’t have to re-type them.

To protect yourself against these problems, always:

1) Ensure you run up-to-date virus scanning software.  If you’re running Windows, you could download Microsoft Security Essentials or AVG, which are both free and will protect you well.  If you’re running on a Mac – don’t be complacent.  Macs have now become popular enough to be legitimate targets for viruses.

2) Be wary of logging into your site on someone else’s computer.  Not sure what’s been downloaded in the past?  Using a computer owned by someone who’s not particularly clued up?  It’s probably best to steer clear!

3) Change your password frequently.  Especially if you’ve had the misfortune to avoid the advice in (1) and (2)!  If your password is out of date before an attacker has a chance to use it – you’re winning again.

4) If you’re running an old copy of the Internet Explorer browser, upgrade it now.  There are a number of attacks that are specifically targeted at Microsoft’s infamously insecure old browser versions.  Better yet, download the most secure browser available – Google Chrome.

Stealing passwords by sniffing

FTP does not protect your username or password when you access your website’s files.  If an attacker has control over any of the machines inbetween your computer and your server, they can see your username and password floating past.  This eavesdropping activity is known as ‘packet sniffing’, and is a relatively trivial exercise.

Have you ever sent passwords in an e-mail?  Again, it’s very easy to read e-mails as they fly around the Internet.

Think of it as sending a postcard with your secret information in plain sight as it goes through the sorting office.

To avoid this, wherever possible, use SFTP rather than FTP to connect to your site.  SFTP uses SSH to communicate, which is secure (as the name “Secure SHell” suggests).  And never send passwords around in an e-mail!

Brute force attacks

Even if you manage to avoid your password being stolen, another way hackers can get into your site is through an attack known as ‘brute force’.  Such an attack typically involves cycling through a list of possible words (such as a dictionary) until the attacker is let in.

To protect yourself against this form of attack,  make certain you choose a ‘strong’ password.  Conventionally, a strong password is never just a single word that could be found in a dictionary or book of names.

Mix up your password with symbols and numbers.

Remember that LastPass site I mentioned before?  It’ll generate you a strong password with a click of the mouse, and remember it for you.

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll!  Backup Machine can backup your website for you every day, automatically.