Hacked Websites Security

Hacked Websites Security

Hacked Websites Security

Hacked Website Security - IPFire firewall logo

(PD) A blatant plug for the IPFire firewall logo.

Larry Neal Gowdy

Copyright©2017 December 01, 2017 - Updated August 03, 2018

Bad Security = Trouble$

Equifax® got hacked. Yahoo® got hacked. WordPress® got hacked. Uber® got hacked. Millions of other websites got hacked. Will your website get hacked? What security features does your website have?

Equifax is expecting to lose around $110-million dollars having to pay the increased expenses of fixing the problems caused by getting hacked, plus suffer the estimated $2-billion to $4-billion in stock market losses. Adding in the millions of people enduring psychological stress, health deterioration, and financial difficulties forced upon Equifax customers, the hacking has caused immeasurable suffering. By any standard that is an extremely expensive lesson in security.

Uber reportedly paid a $100,000.00 ransom for hacked customer data that was stored on third-party cloud-based services. Uber has been around for about eight years, and Uber relies on the Internet for payments, so why did Uber not know of the extreme security risks of using cloud-based services?

'Cloud-based' is one of the 'danger' words that a person is opening themselves up to potential problems that they have no control over. Never ever use a cloud service for sensitive information, not even for family photos. This raises another topic that most honest people never think about. What harm is a family photo? Family photos show ages, genders, racial features, cultural backgrounds, financial status, lifestyles, and tons of other very personal information that criminals can use to create schemes of how to rob you, how to cheat you, or even how to kidnap your children if it appears that your family can afford a ransom. My security occupation took me into many different prisons and courthouses throughout the Texas panhandle where I witnessed firsthand how criminals used similarly innocent information to commit crimes, including kidnapping.

A favorite story of mine is of when I was installing a computerized security system for a convalescent home. I did not understand why the home wanted a very expensive security system, so I joked with a nurse: "What is the security system for? To make sure the old people do not escape?" The nurse understood my unfamiliarity with their problems when she replied: "It's to keep thieves from stealing medications." Now I understand.

Inexperienced honest people do not think the same way that criminals think, and that is where security people earn their fees. With sufficient experience, security people can point-out the security weaknesses that criminals are apt to take advantage of. Websites are no exception.

Websites that use content management systems (CMS) — like WordPress — are notorious for getting hacked. I don't even know if the numbers are still being tallied, but it's a safe estimate to say that many millions of WordPress websites have been hacked over the past ten years. In February of 2017, the BBC reported of a recent incident: "One estimate suggests more than 1.5 million pages on blogs have been defaced." Also quoted was "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor..." (BBC Wordpress blogs defaced in hack attacks)

WordPress has several advantages, but security has never been one, and I have always recommended against using WordPress. Some of my customers still choose to use WordPress, which is okay if they want to, but to date roughly half of the sites had to be taken down because of getting hacked. Even when a WordPress site is not hacked, it will suffer from dozens to many thousands of attempted hacks every single day, which slows the hosting server, slows response time for visitors, causes customers to click off the site rather than wait, cause a business to appear unprofessional, and can cause losses of search engine ranking due to slowness. Using the free WordPress CMS is not worth the cost.

Avoiding security risks is a whole lot easier and cheaper than fixing a hacked website.

How to Store Customer Information

Storing customer information is dangerous and can be very expensive if the information is stored online or on a computer that is connected to a network. My own personal choice is store important numbers and data on paper — written by hand — and never entered into a document file. My business is relatively small, and since I keep as little customer data as possible, then I do not need more than a couple notebooks of handwritten codes.

When I used to service security for major corporations and government agencies, I had a thick spiral notebook that had numbers and access codes for many locations. With a phone call and my notebook's codes, I could walk unimpeded into many different banks and locations throughout the panhandle at any time of day or night: that is how sensitive the data was. When I stopped servicing clients' security, I physically and permanently destroyed the data. I will never have to worry about whether someone might have stolen a computer file with the security customers' codes; that is a stress that I will never have to endure.

An image sharing site, Imgur®, has made public that it was hacked in 2014 but did not know of the hack until November 24, 2017. An estimated 1.7 million user accounts had their email addresses and passwords stolen. Imagine the cost and trouble that I might have had if I had kept my security data on a computer file, and the computer had gotten hacked years previously without my knowing. You do not have to worry about computer security if you do not use a computer for security needs.

Nevertheless, there can be important reasons for large businesses to keep sensitive data on a computer. The first good option is to keep the data on a single computer that is not connected to any network, nor does the computer have any wireless capability. The wireless does not have to be connected with the Internet, a hacker may be able to get into your computer from a nearby computer if your wireless card is radiating (which all wireless devices always do unless the devices are fully turned off). How near? Figure around 100 to 500 feet depending on obstacles. Most everyone now has a neighbor with wireless, which means that if the neighbor's computer gets hacked, then yours might too.

I had a customer who took his computer to a big electronics store to have the power supply replaced. When the computer was returned, it was infested with trojans, all of which had been inserted wirelessly. Apparently the customer's computer got infected by being near another computer that had the trojans.

The second option is to keep the computer networked to other business computers that are also not connected to the Internet.

The third option is becoming more popular, that of each business desk having two computers; one for Internet work, and another for the sensitive data. A common setup is to run a Windows® XP computer offline for use with software that will not work on other Windows versions, and then use a Windows 7 or 8.1 computer for online work. This works well for individuals who are sufficiently computer savvy to know how to scan files before transfers, but there is still a risk of sensitive data getting hacked.

Sometimes one of the computers will run an enhanced security Linux® operating system for online access while the offline computer runs a Windows operating system. Nothing is completely safe, but the use of two different operating systems helps to reduce the potential of information and/or malware jumping from one computer to the next.

Like it or not, computer security problems are increasing, not decreasing, and that is one of the reasons why I focus on website security, because I do have sizable control over website security.

The Necessity of Having a Web Presence

Most all businesses today need an online presence, even if it is only a website that gives business contact information. Choosing how the website is created will also decide whether or not you will be safe from hackers, and whether or not your customers will feel comfortable with your business.

I build websites that use coding that is not hackable. There are no back doors, no scripts that might let hackers into the website's coding itself, and no threats to your customers. The only way one of my sites could be hacked is by someone first hacking into the server itself, which is unlikely to happen, and if it should ever happen, then the fix is relatively easy and fast (simply wipe the account and upload the files again).

Security-minded individuals turn off scripting in their browsers, which leaves most websites (including all CMS websites) to not function for the individuals. My websites are purposefully coded to function for all devices and for all levels of security.

Planning a website's security can be one of the most important decisions a business can make.

More information about the IPFire firewall can be found at https://www.ipfire.org/.

Click Here to Email Me With Questions

Copyright©2018 by Larry Neal Gowdy. All rights reserved.

Updated August 03, 2018