Backup Machine Blog

What's happening at Backup Machine? The team will share updates and insights into life inside the machine!

Steve Protecting Your Website #2 – Script Exploits

Last time we looked at password security, so let’s take a look at another set of tools in the criminal’s toolbox – exploits.

What are Exploits?

Open Padlock

Exploits are security problems that allow an attacker to do things with your site that you didn’t intend them to. In the real world, picking a lock could be considered an “exploit” as it allows the picker to access something they shouldn’t.

If you run a simple website which only shows the same content over and over again (e.g. it just has html and image files) then you’re relatively safe. Unless an attacker can exploit your web server, then you’re probably out of harm’s way.

However, the moment your website starts doing things with scripts and/or a database, you have to be far more careful. If an attacker can make your scripts do things you weren’t intending, they can potentially do some of the following:

1) Access information on your database which they don’t normally have access to:

Imagine if an attacker got hold of your customer list – this could potentially land you in trouble with data protection agencies. Not to mention the problems with your customer list being spammed.

Or perhaps they download your users’ usernames and passwords?  Now, we assume that there isn’t a list of unprotected passwords in your database – but even when encrypted or hashed, recent hacks have demonstrated that even these measures can be overcome.

Again, you shouldn’t be storing credit card information unencrypted, but if a hacker was to get hold of your customers’ credit card details, you could find your bank’s merchant facilities withdrawn.

2) Update files within your website:

An attacker could simple redirect your customers to their own websites.  If they were in a malicious mood, they could deface your brand.  Or without you even becoming aware, they could illegitimately improve their own search engine rankings by placing back-links  within your website.

3) Launch attacks on other servers:

Once your site is hacked, it can become a useful stepping stone to carry out attacks elsewhere on the Internet. If such an attack were ever traced back, it would appear to come from your site, rather than the real culprit’s.

4) Use your website to host illegal material:

I don’t think I really need to describe the sort of files criminals would like to store.  Needless to say, you don’t want it associated with your site!

These are just some of the things they can do – but the list is endless.

That said, let’s have a look at some of the things you can do to protect yourself.

Old Versions of Blog, Shopping Cart or CMS Software

Wordpress Upgrade Box

The most common threat to your website comes by running old copies of off-the-shelf software (such as the popular blog software: WordPress). Because they are installed on so many websites, they are a very attractive target for hackers. To counteract this problem, these systems are updated frequently to fix security holes.

If you run any downloaded (or pre-installed) software on your site, you must ensure it is up to date, otherwise you could be at risk. This applies to the main piece of software, as well as any plugins you might be using.

If you’re a WordPress user: Log into your admin area (I trust you have read our last post about password security) and make sure you don’t see any alerts asking you to upgrade.

Current vulnerabilities are held on public lists – so if you’re not up to date, it’s fairly trivial for an attacker to exploit your out-of-date website.  Here is a list for WordPress:

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html

Free Plugins / Themes

If you’re using any plugins that you downloaded for free from the Internet, make sure that they don’t create security vulnerabilities in your site. Be suspicious! In general, the more popular a plugin, the more likely it’s been scrutinised by someone who knows what to look for – but this is by no means a hard-and-fast rule.

If someone wants to create a back door into a large number of websites, all they have to do is to create a popular ‘free’ plugin – and wait for unwitting website administrators to install it.

Even WordPress themes can create holes in your site’s armour. Be wary.

If in doubt – go without!

Database Permissions

Your website runs as a specific user on the server it lives on. It also connects to your database as a specific user. If this database user has the power to drop tables in your database, then so does a hacker that manages to exploit your site. Consider how many database permissions your website really needs – does it really need to be able to alter tables on your database? Probably not.

Security Through Obscurity

If you wrote your own scripts, or someone did it for you, you might think that you’re safer than someone who uses an off-the-shelf piece of software. After all, if a hacker works out how to exploit an old version of WordPress, he can expect to be able to hack many websites in one go.

Now, whilst this might be true, there are a number of very common attacks that apply to a lot of bespoke website scripts.

If this applies to you, make sure you or your developer have a good understanding of common vulnerabilities.  Here is a list to get you started:

http://www.computerworlduk.com/how-to/infrastructure/424/the-top-10-web-vulnerabilities-and-what-to-do-about-them/

Much, much more!

We’ll revisit this topic in future, as there is far more to cover. If you have any requests, please let us know in the comments!

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.

Steve Protecting Your Website #1 – Password Security

Having your website hacked can be a devastating experience, and unfortunately for you, hijacked websites can be very useful tools for criminals.  Hackers may want to use your site to propagate viruses, steal your customers’ information, or commit other crimes – and it’s not as far fetched as you might hope or think.

FTP Login BoxIn this “Protecting your website” series, I’ll be taking you through the ways that you can protect your site. This week we’ll focus on password security.

Your FTP and/or SSH credentials are the keys to your kingdom. Guard them well!

Reusing passwords

Have you ever used the same password for more than one site?

If we look back over just the last couple of months, the volume of passwords that have been stolen from sites such as LinkedIn, Gizmodo, Yahoo! and others is huge.  Use the same password on more than one site, and you’ve hurt yourself more than you can imagine.

Of course, choosing a different password for every different site is not an easy thing to do by yourself.  Eventually you’ll find yourself writing the passwords down and this is clearly not a great idea!

Fortunately there is a solution: Sign up for a service such as LastPass which can be used to generate passwords for every site you visit, and store them in an encrypted file.

Stealing passwords with a virus

Unfortunately there are several other ways an attacker can steal your password.  A common way is by using a virus, which can read your keystrokes as you unwittingly type your password in.  Other viruses can look at the information your computer keeps to ‘remember’ your passwords, so you don’t have to re-type them.

To protect yourself against these problems, always:

1) Ensure you run up-to-date virus scanning software.  If you’re running Windows, you could download Microsoft Security Essentials or AVG, which are both free and will protect you well.  If you’re running on a Mac – don’t be complacent.  Macs have now become popular enough to be legitimate targets for viruses.

2) Be wary of logging into your site on someone else’s computer.  Not sure what’s been downloaded in the past?  Using a computer owned by someone who’s not particularly clued up?  It’s probably best to steer clear!

3) Change your password frequently.  Especially if you’ve had the misfortune to avoid the advice in (1) and (2)!  If your password is out of date before an attacker has a chance to use it – you’re winning again.

4) If you’re running an old copy of the Internet Explorer browser, upgrade it now.  There are a number of attacks that are specifically targeted at Microsoft’s infamously insecure old browser versions.  Better yet, download the most secure browser available – Google Chrome.

Stealing passwords by sniffing

FTP does not protect your username or password when you access your website’s files.  If an attacker has control over any of the machines inbetween your computer and your server, they can see your username and password floating past.  This eavesdropping activity is known as ‘packet sniffing’, and is a relatively trivial exercise.

Have you ever sent passwords in an e-mail?  Again, it’s very easy to read e-mails as they fly around the Internet.

Think of it as sending a postcard with your secret information in plain sight as it goes through the sorting office.

To avoid this, wherever possible, use SFTP rather than FTP to connect to your site.  SFTP uses SSH to communicate, which is secure (as the name “Secure SHell” suggests).  And never send passwords around in an e-mail!

Brute force attacks

Even if you manage to avoid your password being stolen, another way hackers can get into your site is through an attack known as ‘brute force’.  Such an attack typically involves cycling through a list of possible words (such as a dictionary) until the attacker is let in.

To protect yourself against this form of attack,  make certain you choose a ‘strong’ password.  Conventionally, a strong password is never just a single word that could be found in a dictionary or book of names.

Mix up your password with symbols and numbers.

Remember that LastPass site I mentioned before?  It’ll generate you a strong password with a click of the mouse, and remember it for you.

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll!  Backup Machine can backup your website for you every day, automatically.

Steve Check your site is ready with Launchlist!

How do you know if you’re ready to launch your new website? What do you need to check?

Go to Launchlist and check off everything you should have done!

http://lite.launchlist.net/

Of course, we know you’ve got your backups sorted already, right?

Steve Track changes to your website via e-mail

Backup Machine uses a unique incremental backup system that keeps track of changes to your website’s files.  We use this to only backup those files that have changed since the last time (saving you bandwidth and server load).

You have always been able to see these changed files through your Backup Machine control panel – but now we’ll also give you a heads-up of the files that have changed via e-mail.

Some of our customers have been using this feature to keep track of changes to their site, and spot possible malicious activity.  We hope you find it useful too!  You can never be too careful with your precious data.

To turn on this feature, visit your “Account Settings”, and select “Notifications” then “Include Extended Information”.

Change Notification Email

Change Notification Email

Andi Woody Was Saved by a Backup!

Here’s an interesting video about how Toy Story 2 was almost lost by a Pixar employee accidentally wiping the server that it was stored on. They suffered a common problem: they backed up the data, but the backup had stopped working for a month.

Whether you’re working on a movie, a website or any other document, there are lessons to be learned from Pixar’s mistakes!

Andi World Backup Day 2012

It’s pretty clear that we think backing up your files is vitally important. In our minds, every day is website backup day, but today is a very special day for the backup world … it’s a day all about celebrating backups in general!

We really support what the guys at World Backup Day are doing. There are two sides to it. For example, a close friend of our team recently lost all of his family photos due to a hard drive failure and we’ve seen and we’ve all heard the horror stories involved in companies closing down because they lost all their data.

So, even if you’ve never backed up before, World Backup Day (March 31st) is the day to make a change. Burn those photos to DVD (and put them somewhere safe!), add some files to Dropbox and definitely, without fail back up your website!

Andi Website Resolutions

What is your New Year resolution? Do more exercise, eat less chocolate, or perhaps see your family more often?

While you’re working on your plans for 2012, don’t forget your website. What is your website resolution (and we’re not thinking about 1024 x 768 … not those resolutions!)? Here are a couple of suggestions from us:

  • - Set up automatic website backups (of course!).
  • - Update your blog more often.
  • - Communicate with your customers more frequently about the things that matter to them.
  • - Make your social media more social, and not just about selling.
  • - Review some of your key user interfaces to work out how you can make them slicker, easier to use and better at converting sales.

We’ve got many of our own ideas too. What are yours? Tweet us yours at @BackupMachine!

Andi SOPA and Website Backups

SOPA is being talked about everywhere. It’s stands for “Stop Online Piracy Act” and if passed, will allow the American government to take control over websites that they believe to contain copyrighted material. This could include websites that share (or even just link to) copyrighted videos, music, images or text.

The internet is full of great articles about what SOPA is and how it will affect the internet. But I want to focus specifically on what it means for website owners.

Who will be affected?
In short: everyone. Even if you don’t host, link to, or share copyrighted material, the very fact that you host your website puts you at risk. If your web host unknowingly allows just one website that it hosts to link to pirated material, the US government could shut down that web host’s entire operation. Therefore, you could potentially lose your website for doing absolutely nothing wrong.

Isn’t that a little unlikely?
Not at all. We know this, because it happened before when the FBI seized several servers from a web host called DigitalOne. That was pretty tough for them to do, but the SOPA act is all about making this much easier for the US government.

What can you do?
In truth, if the bill gets passed, there’s very little you can do. The world will lose control of the internet. But, we do have one vital tip: make sure that your website is constantly backed up. Whether you back up yourself, or back up with us, it’s vital that you do something.

Your website could be wiped from the internet with no warning and without you doing anything wrong. So by ensuring that you have a backup, you can at least be equipped to quickly jump into action and rectify the terrible situation.

We hate to sound negative about the situation, but we also hate what SOPA could do to the internet. We hope that this little guide at least helps you prepare for the worst. In short: it’s more important to back up now than ever before.

Andi 5 Tips to Resell Backup Machine

If you’re a web designer, Backup Machine’s Reseller package is the perfect additional revenue stream. Here are five tips to help you resell website backup:

1. Contact your existing customer base
There’s a good chance that your customers aren’t aware that their website isn’t automatically backed up. Drop them a line to let them know that you are now offering backup services under your portfolio.

2. Build the price into a “hosting fee”
If you’re already hosting the website for your customer, why not add a little on top to back up the website too? It could save you a lot of headaches down the line, if anything goes wrong with your hosting.

3. Offer to back up their other websites too
You’re not limited to backing up websites that you designed. Backup Machine backs up websites from any host, or using any CMS, so why not offer to back up your customers’ other websites too?

4. Mark up the price
We don’t have any stipulations of how much you can charge for your Backup Machine packages, so why not mark up the price and make some extra money along the way?

5. Create your own website backup brand
We have full white-label and branding facilities, so why not go all out and create your own branded backups? We’ve done all the hard work; you just need to create a create brand and sell as many website backup packages as you can!

Andi View Changed Website Files

We’re always happy to hear feature requests and here’s a perfect success story. We recently received a request for a customer to see all of the files that were changed between two backups. Within just a few days, that new feature was fully developed, tested and put live!

To see the files that were changed between a backup, simply visit your backup history and then click the “View changed files” link on the file listing of any backup report. The file list will then only show the changed files.

We work on improving Backup Machine every single day. We’re a small team, but with a great passion for our service and product. Therefore, we hope that you find this improvement useful.