Websense reported that in 2008 Most Popular Sites Were Hacked

High-profile media outlets were among those victimized, including CNET Networks, BusinessWeek.com, BillOreilly.com, and the New York Times…so how can you protect your online ‘shop’ if even the big ones are not able to do it?

First of all: never trust the users. It might sound harsh, but it’s all about the greater good for your internet appearance and in some extension even for the rest of your organization.

Just like a normal shop can be the main target for vandalism or accidents, so can your website.  The more visitors a web portal has and the more freedom the visitors enjoy, the higher the probability for damage to occur.

This has nothing to do with the modern buzzword “hacker” and how media blindly refers to this blunt faceless body that seemingly lives on the destruction of computerized equipment, although the expression has since long caught on, especially in movie theaters where the “hackers” are displayed as people with close to superpower control of electric devices.

In reality, ANYONE can easily access the broad knowledge base that is the Internet at any time and read up on a few tips and tricks on how to annoy web-administrators.  After all, it wouldn’t be the first time that politics, economic gain or even jealousy was behind the sabotage of assets belonging to an enterprise. And let us not forget all the acts that inadvertedly leads to damage, like breaking a plate in a shop. How do you protect yourself from hackers etc?

Amazon is providing good tutorial books about ‘How to protect from hackers’. For example:

Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed) Internet Security and Protection: How secure is your website and why you NEVER should trust your users...

or you can download an interesting E-book like Hackers Nightmare. It gives answers to these questions:

  • HOW TO keep your sensitive files away from prying eyes;
  • HOW TO protect your PC from malicious attacks;
  • HOW TO keep your online banking, shopping and e-mail safe.

Let us first identify the different levels of access that can be given to a user:

1.     None.
A pure presentational site containing information, images, links and no contact information is the most difficult to alter. This however doesn’t mean that a webpage with only basic interaction is something to strive for – it is only safer because there is not much to break.

2.     Page injection.
If information is encoded into the address of the page itself, like the specification of type of the current subpage and is not filtered properly, any malicious user can forcibly insert their own musing straight into your page and make it appear like your own, save for the long and suspicious-looking url address. This has been proven to be the case with many self-respecting newspapers and even with the public web of NASA. It is a very common mistake indeed.

3.     User-generated content.
Two simple examples are member registration and user-generated comments or reviews. Most business sites have some similar service, especially if they want to register a paying client. However, when people input their information they might accidently add some unwanted data or purposefully entering massive amount of information that serves to break the code that handles it.

4.     Uploads and html.
Whenever a user is freely allowed to use html or upload files directly to the web portal, this opens a whole new range of possibilities. A lot of filtering and precautions are necessary to keep this safe, but the solutions to these problems are simply technical. In all fairness, the flaws in the sections mentioned above are far more common because the people behind fail to apprehend the problems that may arise.

There is a lot more to write about this topic, which will be covered in further posts, but for now it is imperative to understand that there is no such thing as a safe website but that the safety grows exponentially and the best protective measures are often the most simple to install.

If you want to check how protected your website is, let someone make a scan. I usually recommend SecSoftware.com to my clients, but the choice is of course free.

More info on protection from Malware, Adware and Spyware, have a look at the posting from my colleague in category Internet Security. Check it out – better safe than sorry.

No related posts.

Tagged with:

Filed under: Internet Security

Like this post? Subscribe to my RSS feed and get loads more!