Why do hackers hack? Five ways they’re gonna attack your business website
Arghhhhhhh. After the 3rd customer website infected this year with a virus / hack, I’m seriously thinking of making our security service (http://security.stephdokin.com) mandatory as part of our bundled monthly offering for businesses. Yes, it costs a bit more every month … not unlike insurance. But, the downside risk is just too much methinks. Hacks have become more frequent in recent years. No sh*t Sherlock.
Today’s hack came in the form of root directory access to the website, and it was very malicious … deleted all the WordPress files. No website. No workee. Yes, we have backups. But cripes.
40% of small businesses have been hacked. And it’s getting worse. I talk all about it in my blog “Hackity Hack, you CAN fight back”
The bottom line: Just as how websites and a strong Google presence has become a vital element of any successful business, so has the protection of those assets.
Why do hackers hack a website?
Hackers rarely target a specific website. Those high-profile ones we hear about … Sony, U.S. Government, Ashley Madison … typically take some sophisticated targetting of the specific website to get in and wreck havoc.
But, don’t be so flattered. Most small business website hacks come in an automated fashion.
Programs (e.g. spiders) that crawl the internet from website to website try to expose vulnerabilities … they are the likely culprit of your website hack. When a vulnerability is found, they infect the the website. Some don’t have an impact for awhile (such as spam hacks wherein your website starts to get recognized by search engines for words that have nothing to do with your business) and some can screw things up right away, like file deletions.
Why do hackers hack? Here’s a quick list:
- Quick financial gain. Hackers are looking to harvest passwords, credit cards, whatever … in order to make some money.
- Ads and Spam. Once infected, spam hacks can start showing unintended ads or pages to your visitors, and driving traffic to other website properties. Without you knowing.
- Fun. Back in the old days, there was some glory associated in writing a good hack. I don’t think that glory exists anymore, however, but I’m sure there are still those out there that are all like “look at d’is!”
- A sense of online justice and/or frustration. Some hackers have a beef to grind and time on their hands. Certainly those that hacked Ashley Madison feel like they punished the company appropriately … not so much cyber criminals as it is cyber vigilantism.
- Stealing intellectual property. There lots of unprotected gold in them thar hills.
- Stealing computer time. Some hacks want to turn your host computer into a bot, to do it’s bidding as required, such as DDOS and DoS attacks (Denial of Service … a common way is to simulate LOTS of people coming to your website all at once, and your website can’t handle the volume).
- Pricks. Plain and simple. Some hackers are just not nice people.
Top 5 Most Common Types of Hacks That Will Infect Your Business Website
The world of hacking is super-technical. If you have a look at the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID), you are left wondering how websites ever work at all, frankly.
But, there are 5 common types of hacks, which I try to describe below in as plain-english as I can muster.
- SQL Injection (SQLi). SQL is a query language, and it’s the way developer’s code accesses data that’s stored in a database. A quick test of your website URL by an external program … instead of putting “www.yourwebsite.com” in a browser search, it puts something like “www.yourwebsite.com/id/id.asp?id=1=1” which tests to see if the vulnerability exists. If it does, then your data is theirs.
- Cross-site request forgery (CSRF). Being logged into lotsa of sites is pretty well the norm these days, and it’s typical that your website would have login authorization for external 3rd sites. Let’s say your website has imbedded authorization in it for a social website, or a bank or Paypal website. If that authorization exists, the hack can use your website as the starting point to get to the authorized site, and extract whatever they need from that site;
- Remote / local file inclusion (RFI/LFI). On websites that run PHP, which are about 77% of all websites (including Content Management Systems like WordPress, Drupal and Joomla), a successful attack allows the execution of arbitrary PHP code on the attacked platform’s web application, simply including a file that’s on a remote computer and getting it executed locally. With RFI/LFI, a hacker can take over a web server.
- Path traversal. Permissions on your website are set at the file and directory level … think about when you log in to your host like GoDaddy and go to the File Manager. Typically with most websites, there is a root directory of the website, which is itself a sub-directory your shared hosting space (on GoDaddy or weherever). BUT, if the hacker can detect permissions set incorrectly on the sub-directory that contains your website, they can “go up one directory level” to the host root directory with all permissions allowed. If so, bam, you’re screwed.
CMS websites like WordPress, Drupal and Joomla are easily hacked.
A Content Management System, or CMS, is a web application designed to make it easy for non-technical users to add, edit and manage the content of a website. The most common CMS systems used by businesses are WordPress, Drupal and Joomla. They are awesome, widely supported platforms.
This awesomeness adds a layer of complexity that can expose:
- Vulnerabilities in the CMS system platform
- Vulnerabilities in the Plugins for CMS systems
- eCommerce and User account vulnerability
(these are detailed more in this blog post)
Yes, the internet is complicated. Yes, we’re sorry. Yes, we have a solution.
Be careful out there!