A Hacker’s Lucky Dip

Cybercrime, in all its facets – hacking, online fraud, security breaches, information theft, defacements, electronic espionage, and service interruption – seems to be at an all-time high. If the threat doesn’t seem real enough, peruse some of the thousands of defaced home pages immortalised at Zone-H’s Digital Attacks Archive, including those of Canon.co.nz, Microsoft.co.nz and countless others.

How do hackers manage to slip inside? Their tactics are too many to recount here, but their weapons include point-and-click Windows-based graphical software like password crackers and port scanners written by other hackers. They also “sniff” for passwords in unencrypted data streams as they traverse the Internet, spoof IP addresses of trusted machines, and launch “Denial of Service” attacks using hijacked servers.

What is a website manager to do?

• Don’t store credit card numbers on your server, even temporarily. If you must, at least store them encrypted.
• If you collect credit cards or sensitive information use a secure certificate with 128-bit encryption, not the cheaper, less secure 40-bit.
• When emailing sensitive information from your web server to an employee’s inbox, encrypt the email with PGP.
• Hire a security consultancy to conduct a website security audit. If you want to do it on the cheap, have your web server administrator download Nessus and run a vulnerability scan on your web server and network.
• Make sure server passwords aren’t based on a birth date, a word in the dictionary, or the name of a pet, child or spouse. A good password is a combination of letters, numbers, and punctuation, and is at least eight characters in length. Change passwords regularly.
• Disable all unneeded services like FTP (file transfer protocol). The fewer services running on your server, the fewer the potential soft spots.
• Stay vigilant. Monitor the server’s log files – use LogWatch or similar. Subscribe to a service that alerts you to security holes as they are discovered, such as BugTraq. Install the latest security patches as they become available.
• Purchase insurance that covers against cybercrime. Traditional business liability insurance usually excludes such losses.
• Do not have a guest book that allows unchecked submissions to be posted. Search engine spammers vandalise them with links and messages about herbal Viagra and other scams.
• Run daily backups and cycle them so that past “snapshots” are archived and stored offsite.

By Stephan Spencer. This article first appeared on Unlimited in December 2003.

Comments