About hacking: nothing personal

By 17/11/2016 No Comments

Quite often our clients take the act of their website getting hacked personally, or as intentional actions of malicious competitors, former disaffected partners, etc. In other words, they bring their own daemons into the spotlight. But actually things are often much simpler.

There are people (hackers) who write automated programs (bots) and try to hack websites with them by exploiting unpatched vulnerabilities in content management systems (CMS), web server configurations and web browsers. They inject code which could potentially infect your website visitors, thus they expand their network of infected computers (botnet). Large botnets could reach millions of infected computers, which become their “zombies” and could be used for malicious purposes – for example:

  • flooding websites with traffic until servers can no longer function normally (distrubuted denial of service / DDoS attacks)
  • hacking passwords
  • modifying system or security features and attempts to steal sensitive information

Hackers with large botnets can monetize them by renting or selling them – it’s all about money, after all.

So, hacking one more website is not a personal action by hackers – it’s recruiting just another “soldier” in their army.

Types of hacking attacks

Hackers use a variety of techniques and methods for hacking, like:

  • Scanning vulnerabilities: checks computers on networks for known weaknesses
  • Bruteforcing passwords by consecutively attempting different character combinations until one of them “clicks”
  • Using applications (like packet sniffers) that capture data packets in order to view data and passwords in transit over networks
  • Spoofing attacks – imitating actual known websites (like PayPal, Gmail, Hotmail, etc.), which are therefore treated as trusted sites by users
  • Luring you to open a malicious executable file (e.g. sent as a file attachment, or by being send a specially forged link to it), which might exploit local vulnerabilities to infect the user computer; sometimes (if you use an old and vulnerable browser) you might not even see the downloadable file and it could directly execute and infect your PC
  • Infecting with a trojan horse which opens a back door in a computer system to allow later access to the system
  • Using keyloggers: tools designed to record every keystroke on the affected machine for later retrieval

What can you do to protect yourself?

The good news is computer viruses are like human viruses – if you care for your digital hygiene you can drastically reduce the risk of getting the flu.

Personal computer hygiene

If you get the enemy into your own castle (your own computer gets infected), he might not only steal important information you have locally, but also steal account credentials you store there. E.g. your website login credentials. Thus, and infected PC might lead to an infected website. And an infected website might “spread the joy” and infect further PCs, and so on.

Here are some pieces of advice that can help you stay clean:

  • Make sure you have an antivirus program installed and keep it up-to-date
  • Do not open files or links that you do not expect (from email attachments or messenger messages) – they might appear as they’ve been sent by someone you know, but this someone might also be infected, and emails / messages might be getting sent without his knowledge
  • Do not use unencrypted public WiFi networks while logging in your website admin panel – passwords might literally fly in the air unencrypted and get intercepted
  • Keep your OS and programs up to date
  • Use a contemporary browser that gets regularly updated (Chrome, Mozilla, Opera, Safari, IE11/Edge)
  • Try to keep your “recreational browsing habits” away from a PC with important information on it.

Website hygiene

  • Make sure your website has at least some basic protection installed that fends off suspicious looking queries to your website
  • Make sure your website scripts are up-to-date
  • Make sure you do not use weak passwords for your admin login. A good password should be at least 8 characters long and contain characters from the four main groups – small letters, capital letters, numbers and symbols
  • Change your passwords once in a while (e.g. every 6 months)

Following these will not make you invulnerable, but will make your chances to stay out of reach of “the bad guys” for a longer time.