Hello everyone,
Today I would like to discuss a bit about security and the web 2.0 evolution. With web site technology increasing and becoming even easier to use by new non-experiences users. Today, just about anyone can post a blog, get a website up and running in under 5 minutes with the few clicks of a mouse, and start writing, showing, learning, chatting and more. However this leads to some concerns regarding security in the web 2.0 age.
In the past, users had to be very savvy in order to get a website going, and good content to be published in a secure manner. However now a days things are made much easier due to the creation of CMS (Content Management Systems). With these tools, users no longer have to focus on the security aspect of web site design, and deployment, because they are under the vast assumption that it is already taken care of by the CMS developer. This, in most cases, is simply not the case…
The issue with relying on the developer to provide a good product with good security in place is that you do not exactly know their skill sets in web security, nor how advanced their knowledge is. Another issue to ponder is the age old theory of “Rush-2-Production” The manner in which it is essentially a “Rat-Race” of sorts to produce the next new, best, latest gadgets of technology, either it be web CMS software, software in general, or other technology gadgets. This trend leaves developers feeling pressured to be the first one to put out the new stuff, to have the lack of “copy-catting” someone else. They no longer focus on the security aspect of things, but now focus on making it be the first new fancy and shinny software on the block.
As you can imagine by this point, this is not a good thing for you, or your hosting provider, and even worse for you if you find yourself hosting your own websites on your personal network. The impact of a compromise can have a terminal affect on your data, and your popularity of your “fancy” blog.
Imagine this;
You get your hands on the Brand new “Widget of the century” and you are all heated up, and excited to get your new widget up and running, to show it off to the world like a brand spanking new shinny penny. You make a mad rush, and spend hours, if not days working with your widget and it’s 100’s of fancy new sub-widgets to personalize and customize the look and feel of your place on the net. After you lose hours of sleep, and work deep into the night, you finally get the widget done, and you are feeling pretty spiffy about what you just accomplished, and how you are the first one of all of your friends to get the new Widget! You sigh in relief “Man that was easy, and wow it looks ultra cool!” You go to sleep, feeling great.
You wake up the very next day, all excited to see how many compliments and hits you got on your new fancy widget site, you anxiously race to your computer, fire up a browser, and navigate to your page. When you get to your page, you come to the shocking realization that all of your work has vanished, and or was replaced by “Hacked By: Some kiddie”. In some sad disbelief you check to make sure the URL is right, you refresh the page, you clean your cookies and your cache, and temp files, and even your browsing history, You cross your fingers, and type in your URL again, only this time to realize that indeed your data is gone! You then contact your hosting provider “CompanyA” and tell them of your findings. They verify your data has been manipulated, and ask you if you have a backup of your data. You shockingly gasp, and realize that you are either not sure, or you don’t have the backup! Your host then tells you that they don’t have a backup of your data either because the attack happened before the last backup was done, and there is no way they can recover your lost data!
Sad, you now start to rebuild your website, trying to remember all of the fancy widget settings and effects. You finally get it back to within 95% of what you thought it was, and now remember to backup your data before you finish. You create your backup, and sneeringly think to yourself “Ha, try it again now!”. You again, go to sleep, wake up, awaiting to see your data not there, but in shock, you see indeed it is. You feel relieved, and you snicker at how upset you got the last time. You figure the attack is over, and you can continue on widgeting until your heart’s content.
A few days go by, and you feel like you are on top of the widget world! You go to check your website, only to now find out that you are presented with an account suspended, or even worse, “server could not be found” 404 error message. You gasp again “What could it be this time, of course, I got it, I will restore my fancy backup! You login to your FTP server, or control panel to restore your backup, and you can not log-in! You check your user-name and password, and you know it is right. You then call up your Hosting provider CompanyA and they tell you that your account has been suspended, or removed due to a violation of the TOS (Terms of service) agreement. You exclaim in anger “How did I manage to do that?!?!?” Your provider tells you that your website and domain have been sending out tons of spam emails and that something went wrong, and your site led to a compromise of the web server, and that they had no other course of action but to suspend/terminate your account. You wonder “How the heck did that happen” and then you think back to the original compromise.
Now you are stuck with no website, no fancy widget software to show the world, and no provider to host it. This, all due to some widget software that claimed to be the latest and greatest software. Distressed, you may even consider to call it quits, and forget the web and your site all together.
The point of this story was to teach you to fully research the software you plan on rolling out, or already have in place. Check with your hosting provider to see how often, if at all they do backups, and how long they keep them in the backup rotation. A good common practice for software already in use or you are thinking about using is to find out what the latest stable version is, and do a in depth search online to find out any reported vulnerabilities in that software. It is also a good idea to join some advisory board/sites like this one, that have up-to-date information on all the latest and greatest news, tips, tricks, and especially Vulnerability updates.
Best of luck to you!
