Hackers, Crackers and Script-Kiddies

You log on to your site and notice that, from your administrator’s console, things don’t look right. So you search the site access log and discover the worst. You’ve been hacked. You’ve got a bogus IP address listed in the search log and when you try to access the intruder, all you get is a 404 error message – Site Not Found.

Now what do you do? What did the hacker do? Is there a digital ticking time bomb buried in your site’s code? A Trojan horse, perhaps? And what about that sensitive personal data stored on your site’s database? You know that’s been copied, even though a quick check of MySQL reveals the database is still in tact. Even so, that sensitive data has been compromised.

Any site is vulnerable to hackers, crackers, script-kiddies and other black hats regardless of how many layers of security you have in place. Remember, hackers never sleep and they’re always looking for web site vulnerabilities. These guys could have gained entry to your site in lots of different ways. By placing an order or opting in for your newsletter. Once contact is made, security is more easily breached.

You’ve got a problem. So, never let it get this far.

Keeping the Bad Guys at Bay
Once a site has been hacked, getting it scrubbed clean and back online can be an arduous, time-consuming-money-losing proposition. Better to keep those evil-doers out from the start.

Check your host server’s configuration. Ooops, forgot to do that.
Revisit your server configuration. You can buy the best, locked-down-tight site security but if it isn’t properly configured with server side software it may provide a false sense of security, as in you aren’t getting what you paid for.

Synch up for safety.

Keep security software and hardware current.
We all know that the hacker community doesn’t have much else to do except sit around devising new ways to circumvent the latest patches from Microsoft or security software developers like MacAfee. The security software programmers know it all-too-well so 24/7, there’s a battle going on between security programmers and hackers looking for a trophy and web creds from other hackers.

Update in-place security regularly. Log on for patches and fixes.

Keep meticulous records of all software. (Keep the box.)
Maintain a record of all software in use to support your business including edition number, i.e. XYZ 2.0. Also user key codes and other information that’ll come in handy if a hacker does get through. An online security company needs to know as much about your software as the hacker did. Make it easy for that company by providing make, model and serial number.

Review log files.
At least once a day, check your back office logs to make sure no one has dropped by unnoticed.

Good time to bring up permissions. A lot of small companies maintain a network of computers. One in customer service. One in accounting and so on. A network is a must for even small businesses today, small businesses that rely on the office network to access business data and records of activity.

This requires the company owner to develop a permissions log – a directory of which employees have access to what company data. All departments and employees should not have access to all data. Only that information required to do the job.

Limit the number of permissions. Limit access to data. And train employees in safe and secure online practices, i.e., email scans, daily virus scans across the network and so on.
And worth another mention, keep access logs up to date. Close out all ex-employees and others who have no business looking at order tracking data.

Stay current on viral epidemics.
First, always keep site security in mind. Consider it a key part of your job as online business owner. That requires a pro-active approach to security. And that requires a knowledge of the latest in frauds, scams, schemes and viruses.

A new virus, once discovered, is almost instantly identified on webmaster sites, on security software sites and, of course, on the Microsoft download page. That’s good. It prevents a local epidemic from becoming a pandemic. Keep up with the latest in hacker tactics and the cures offered on the web. If you wait, your site is vulnerable to a viral injection.

Bulk up your passwords.
This is a simple step, it doesn’t cost a penny yet many site owners still insist on using their pet’s name as the administrator log on. Anyone who knows the site owner will be able to hack the site in, oh, about 10 minutes.

Limit access and create undefeatable passwords. Dictionary software is easily available on hacker sites. These programs go though millions of letter and number strings a day until they generate the actual password. So, extend your passwords, use letters, numbers and symbols, and change them often.

Change all passwords whenever an employee leaves the company.

Run a check of all content generated by third parties.
You might download a FREE counter and pick up a dose of key-logger software – software that logs every key stroke made by you and other members of the office network.

Evaluate the source of the content. For example, sites that syndicate content via RSS feed should be Googled and checked by you, the web business owner. Any third party content can be booby-trapped so be careful. As mom used to say, “You don’t know where it’s been!”

Check your links. Check their ads.
Links are important to building connectivity within a small market. But a link is also an access point for a black hat so always consider the company you keep. Inbound links can be used to inject malware.

Same with paid advertising. Some “company” may be pay you $50 a month to advertise on your site, build a shell site or mirror site and steal your sales. You might not notice it for a couple of days – and by then, your legitimate business could be out $1,000s in sales and you’re facing a boggy mess of customer complaints that are only going to cost more to repair.

Just because an advertiser “sounds nice on the phone” doesn’t mean that she’s running a legitimate business. Know what’s on your pages. Know who’s on your pages. If it looks funny, or your instincts tell you something’s not right, do you really need that extra $50 a month? Take care with those who reach out to touch you. They may be picking your pocket.

When you grow, hire a pro.
When you’re just starting out with a new site, money is always tight, always a consideration. In this case, go with a reputable web host that maintains high levels of server security, including security against cross-server (X-server) attacks. And if this is all gibberish, call the tech support team at your hosting company.

However, at some point, when that online business has grown from a part-time hobby to your sole source of income, congratulations. Now hire a pro.

Site security is no longer a priority. It’s become the priority once you’ve quit your day job and now rely on web traffic to pay the bills. Have a security pro check your system and, if merited, hire a security service that tracks attacks on your site, providing higher levels of safety for your “hand-built” digital business.

Yep, despite the fact that the web has been gussied up in recent years, it’s still a lawless frontier in which you have to protect yourself. The web police don’t exist so forget the 911 call. It won’t help.

The secret to a secure site is constant vigilance and automated convenience. Buy good security ware. Properly configure with server security. Update regularly and keep track of who comes and goes, whether an employee, a link-in or a paid advertiser.

Keep security front and center. It will keep what’s yours – yours!

Hackers and Crackers: Barbarians At The Gate

Hate to tell you this but the barbarians are at the gate. Hackers, crackers and script-kiddies armed with dictionary software are poised and ready to hack your site and make off with all of that highly-sensitive customer data – oh, you know, names, addresses, CREDIT CARD NUMBERS. I wouldn’t want to be the guy who emails his customer base to cancel their credit cards and contact Experian, TransUnion and Equifax to flag their credit activity for the next two years. 

Whether your MySQL is crammed with sensitive data, or your CMS is packed with sensitive, proprietary business information, you need to protect what you got, Jack, or you ain’t got jack.

Redundant layers of security are the norm in the corporate realm, but we regularly read that this university, this credit card company or this retail store data has been hacked and is now floating out there in the Ethernet. So, what’s a small business to do? A sole proprietor or a two-man dog-and-pony? How can they assure security?

The Number One Source of Hacker Attacks Is Some One You Know
Yeah, it’s not some 15-year-old in Bora Bora trying to access your MySpace account. The most likely threat is an angry business partner or sub-contractor or, sad to say, a spouse, a kid or your friendly Uncle Bob who comes over every Saturday to balance accounts.

Cures: Limit access to your business computer. It should not be a part of the home computer network. It should be a separate and distinct work station, password protected, off limits to anyone.

Bulk up your passwords, especially when keeping those who know you out. Forget Fluffy 909. An irate spouse’ll figure cat + birthday = password. Use signs, symbols and numbers to create passwords that can’t be defeated by someone you know.

Then There are the War Drivers, War Chalkers, Viruses, Worms, Trojan Horses, Key Logger Software and Zombie Computer Armies.

War drivers cruise industrial parks looking for leakage from an office network. All they need is a laptop, an antenna and networking software and they become a part of the office gang.

And all of that other nasty hacker-crap is out there. What can you do?

Protect your work station data and back it up automatically with an outboard hard drive.

Use a reputable host who maintains multiple layers of security hardware and software. Ask about access to the server room, ask where the servers are located and ask about on-site security. You can get good shared hosting for about $7.00 a month so we’re not talking breaking the bank, here.

Scan everything.
As an online entrepreneur, your inbox is filled every morning with every thing from the 14th penis enlargement spam this week to actual emails from customers and clients. Separating legitimate email from hacker missives isn’t always easy. However, any good email system will scan incoming, but if you have doubts, perform a separate scan on a piece of email before opening.

Use SSL Encryption
First, no savvy computer buyer is going to place an order if the little ‘s’ in ‘https’ is missing from the address bar of a site, and those that do jeopardize their identify, credit and your business

Maintain Your System Security
You don’t have to pay a bunch for site security software – good stuff. There’s even some OSS out there that professionals use. However, none of this software is going to do any good if it’s data and hasn’t been patched in three years

New bugs, viruses, scams and schemes are unleashed upon our sorry selves and there is no web police. It’s the wild, wild web.

Here’s what you want:

server side security and lots of it

SSL certification if you’re transmitting personal information.

An automatic back up system, i.e. an outboard hard drive

Quality system security software that performs a daily scan in the background and produces a log for review. Keep log data to track attempts by hackers to breach security.

A separate system, distinct from a home or office network. A stand-alone impervious to ware drivers, war chalkers and other ne’er-do-wells.

A hands off policy if you work out of a home office.

Security scan software – software that equips you to scan individual documents for malware.

Passwords on steroids. Let ‘em break :q##s6gr))1!sz+++. Never gonna happen.

Finally, stay vigilant. You never know where a security breach will take place and there’s no 100% guarantee that you can make your business impregnable.

But you can sure make it hard on hackers who are more likely to move on to an open door than try to figure out your redundant layers of server- and system-side security.