Bluegrass Bus Museum

 

You are here

High Security in a User Friendly Internet World

Printer-friendly versionPrinter-friendly version
Insecure WebWhat prompted this article is that my registration on some bluegrass related email and websites has been compromised. I have received various emails that certainly confirm this. If you operate a web site or use a newsletter distribution service, you probably only give it a casual thought about security. What are they going to steal? Why would anybody want to mess with us -- we're too small? What's the worst that can happen? And, other questions. Have you asked about your liability exposure if your assets are compromised? Do you regularly check your logs looking for requests that don't seem right and then, making decisions based on your findings? Probably not.

First off, what are your assets? User Accounts with email and passwords (or password hashes) is certainly one. If you sell online, do you retain any credit card information? Does your site use a secure protocol and, if so, is your security certificate secure? How much personal information do you retain in cookies, databases, and other aspects of your site?

For most in the music industry, these questions are way over their head. It is somebody else's concern. They buy a standard platform on a hosted service somewhere and assume that the hosting service is addressing these security issues. Unfortunately, I don't know of one that does. If your site got hacked and all your user information was suddenly captured by some unknown person, probably in a less-than-friendly country (China, Russia, et al), how are you going to determine even if this happened and, if it did, notify all your users that your site was compromised? Yes, there can be a legal requirement in some cases that require disclosure of hacked systems.

What happens if a bad guy gets your email and password? Well, they try the same password on social media and even financial institutions. Most people use the same password for all their user accounts. They almost always use their email for everything since few people have any need for multiple email addresses. So, some site gets compromised, all their user account data gets leaked and possibly sold on the Internet, and the unsuspecting user doesn't even know because the site or service owner doesn't know. They wake up to find their bank accounts empty or virus emails flooding their inbox or who knows what. It is not a trivial matter any more.

Most service owners tackle the issue reactively. A little panic, fix the hole, and life goes on. Nobody knows what happened. Unfortunately sweeping site compromises under the carpet doesn't fix the problem and, worse, may also hurt your loyal supporting customers. While it is true that customers rarely know where a leak that hurts them comes from, there are a few of us who do know how to track hack attempts.

Cybergrass doesn't store or retain any user information. No usernames, emails, addresses, etc. We don't need that information and we don't keep it. The entire site is open for reading. Comments are through a third party system and are just linked in -- they don't reside on our site. While we do use cookies, they are for the session and user experience but, again, we don't keep any user information within them because, we never even ask for any. We don't use credit cards, PayPal, Bit Coin or other financial methods because we don't sell anything via the web. There really isn't anything anybody could use from our site.

We do, however, check our logs daily for attack attempts, database modifications and such. We certainly don't want anything damaging to originate from our site. While I have received messages from hacked sites, I recognize them for what they are and, I usually check to see where they originated. There are some popular sites that I'm sure our readers go to that have been compromised. Most are fixed within a few weeks but, the damage has already been done. I prefer to prevent the damage from even happening in the first place.

One little known fact is that virtually all systems connected to the Internet, regardless of size or scope, have been compromised and many are on a continuous basis. Even the majority of home computers have been remotely accessed. Keeping secret, private, personal or financial information on an Internet connected system is not wise in todays world. Countries have dedicated sources to hacking into all levels of computer systems for a variety of reasons. Some are setup as remote slaves to awaken and carry out commands from a central location (botnet) while others are used to quietly feed secrets to foreign governments. Identity theft is a multi-trillion dollar business and foreign nationals are targeting everything they can to build large collections of data on people. Consider that 90% of all data was collected in just the past two years. Much of that is personal data on everyday people. Credit Card numbers, names, addresses, email addresses, phone numbers -- especially mobile devices, are all being collected, stored in data warehouses where the information can be mined and sold. Nothing on the Internet is secure.

The normal user places their trust in their Internet provider. Unfortunately, the provider provides little security, if any, and leaves that task up to the user. They just provide the plumbing to the network. What you do or don't do with it isn't their concern. Web hosting services are pretty much the same. They provide a platform, often times a shared virtualized platform, to operate your site. Most web sites operate with many others on the same server. Some are even becoming "cloud" based. The problem is that any of the virtual hosts on the server can be a doorway into all the sites on the server. If a hacker gets through an insecure site, even if you think yours is secure, it probably no longer is. So many sites are hacked today that it is almost frightening as to what the potential damage could be.

A common web site attack is when there is also an email service connected with it. By now, almost all of us have received that innocent looking email from a friend that has a single line, "Hi. I just found this link. Check it out!! http://www.SomeTrustedSystem/garbagecharacters/filename.xxx You trust the sender. You trust the website. You click on the link. Nothing happens. Ah, but something did happen. You just didn't see it. You may click it again just to be sure. It doesn't matter. You authorized your system to download an unknown payload to your computer. You don't know what it is, what it does or what it is going to do in the future. You have, however, become infected. Trust on the Internet is lost.

Something to consider is to NEVER discuss anything financial or personal over the Internet UNLESS YOU ORIGINATE THE SESSION!! This is critical. If you get a notice from your bank, PayPal, airline, an insurance company or anybody, even a grocery store, saying to access your account, it is a scam. No legitimate business does this. If there is any concern, call the company on the phone. You may also originate a totally new session to the business on the web by you entering where to go -- never trust or click on a link -- enter it in manually such as www.discover.com for the discover credit card. I use the same rules on the phone. If I get a phone call from the bank, I inform them I'll call them back. Hang up and then lookup the banks phone number on your last statement and you call them. Anything in an email you got they will know about if it is legitimate. An ounce of caution can save you years of straightening out an identity theft mess that can ultimately remove all the money from your accounts, compromise your credit and worse.

If you own and operate a website, be very careful with its security. There are liabilities involved and, your provider or hosting service probably is not going to share that liability with you. If you keep any user data (email, username, etc.) encrypt it. If somebody gets your data files, they shouldn't have any human readable content. Since your configuration files, that the web needs to access your data, has your database and authorization credentials, anybody who hacks the site instantly has access to that. A remote backup of your data files to China is probably not a good thing and, you probably wouldn't even know it happened as it doesn't require the web to do so once the authentication information is known.

Something that few realize is it may be more important to watch what goes out of your site than what goes in. A compromised site may not show any abnormal input. However, if large streams of data are leaving the site and it isn't music, video or images, you want to know what it is. If a large business or government computer get compromised, the hackers want the date within those systems. A few key strokes may initiate massive outflow of information and data. If you only look at logs to see what was entered, you may miss the big picture. You need to know what goes out as well. Virtually no internet provider or hosting service supplies this capability. It will be up to you to configure your own monitoring systems. How frequently is the database accessed? What data is requested? What commands have been sent to the database? Have there been any full table requests?

The point of this article is to make the reader aware that this isn't 1996 anymore. The World Wide Web is actually a land mine field today. It is a dangerous place if you aren't paying attention. Accounts get hacked frequently on social networking sites, email scams, and more. If you run a web site, you want to make sure, you are as secure as you can be. Most of keeping a site secure is pretty basic but, it requires you to do it. Do not rely on others. It is your responsibility to secure your users information.

Bob Cherry has been involved with technology and the Internet for over 35 years and is versed in Internet security. He has worked for Global Fortune 100 corporations and has worked in an international capacity. He has numerous patents and published articles to his credit. He is CompTIA Security+ certified in the area of Cyber-Security and has been involved with the Internet and large data systems for financial and insurance companies for more than two decades. He has worked with intrusion detection systems, advanced firewalls, router software and large systems and anti-virus testing.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer