Reflecting On Security
Apr 1st, 2007 by Don Ray
After having the big meltdown I had with the hacker recently, maybe it is a good time to consider what can be done and by whom to make the Internet a little more secure. Please don’t consider this an extensive analysis of security problems. It is intended to arouse a little curiosity on your part to see if your are doing what you need to do.
I will break this down to three different components. Each of these components can do only so much and many times it takes a combination of failures of each to allow a cyber bum to enter and corrupt things. Here are my three areas of consideration.
First are the hosting providers that host sites similar to mine and commercial sites.
Second is the website owner – which would be people like me.
Third is the casual user – which would be you if you merely visit different websites and don’t have a website of your own.
Hosting Providers – Their responsibility is to stay current on the security issues that are happening in cyberspace and to try to keep up with or ahead of the latest trends in cyber crime. They need to apply their maintenance releases promptly and keep the system backed up to the level of backup needed for them to recover from a failure. They are responsible for bringing their systems back online and not necessarily the websites of their clients. Their responsibility to their clients depends on what their clients have contracted for.
I believe that the hosting providers should protect clients from each other. By that I think it is reasonable for a hosting provider to require its clients stay current with their maintenance releases as well.
Website Owners – This would be people like me. I need to do all that I can to provide a secure site. I need to stay current on all maintenance releases for the software I am using. That includes the software I am using at my hosts’ location as well as my client PC that I use to upload data to my host’s machine.
For my part, I stay current with all updates of my PC’s operating system. I keep my anti-virus software current as well as antivirus signature database that the software uses to search for viruses. I routinely run multiple malware programs in addition to the antivirus software. In addition to the other items, I stay behind a firewall.
I use Outlook for my email and contact manager and this requires constant checking to see if maintenance is required. I keep a dummy entry as my first contact entry and if I get a returned email sent to that contact, I know I have received a worm and it has tried to send a virus out to my contact list. This used to be a well know exploit of Outlook.
I try to change my password at my hosting provider frequently. Any password that is over six months old should be changed. This is not a bad idea for email accounts also. The choice of passwords is another consideration.
A good password contains both upper and lower case letters and numbers. Using your name or your wife’s name or your social security number or other easy to remember items is a bad practice. If you want to create a password that you can remember and also follows good naming standards do this. Start with a seed word (6 - 8 characters minimum). Now replace every other character with a number. Then go back and replace every other letter with a capital letter. The formula is easy to remember and therefore so is the password, but it will be harder for a hacker to guess.
For example, lets assume you started with the word “cyberhacker”. It is 11 characters, but it still easy to remember. Then replace every other letter with a number and you get 1y2e3h4c5e6. Now if you replace every other letter with a capital letter, you get 1y2E3h4C5e6. If you compare “cyberhacker” to “1y2E3h4C5e6”, which would be the easier to guess?
Casual Users – Just because you are a user doesn’t mean that you have no responsibility in all of this. Actually one of the biggest sources of Internet corruption comes from the PCs of casual users. If you don’t keep your operating system current as well as employ up-to-date anti-virus and malware software, you provide a hosting opportunity for the cyber thugs.
Every time you visit a website or open a piece of email you invite someone to grab your PC, if it isn’t inoculated with the latest fixes. If you download free games, free cute Internet Messenger add-ons and visit dangerous websites (porn sites, peer to peer sharing sites, etc.) you are traveling in the darkest and most dangerous areas of the Internet. You are just asking for your PC to become sick.
You should also consider using a password structure as described above. With all the identity theft that is running rampant, you can’t be too careful.
So now what?
If I look at the current problem I just had with my site being hacked, here is what I find. Before looking at the problem, I should warn you that new problems are understandable and are going to happen. Known problems that have existed for a while indicate a host that is providing inadequate security. Looking at the current problem I see is that my host was one of many hosting providers that got hit by this intruder. In this case it appears that a bug in cPanel was exploited to allow the hacker to get access to users code.
Then after taking control of websites it was planning on exploiting Internet Explorer users that had not updated their browsers with the latest fixes.
I think the knowledge that extremely out of date browsers are such a source of the propagation of Internet problems, that it is time to enforce users to upgrade to recognized safe versions. For example, I use WordPress as my blogging engine, but all blogging users usually have a means of identifying the browser and version of each user that enters the blog. It would be fairly simple for a computer whiz to write a WordPress plug-in that checked a user on entry and prevented any users with dangerous browser versions from having access.
I would go as far as giving my hosting provider authority to stop any user prior to even coming to my blog. I bet if users couldn’t get to their favorite sites with old out of date browsers, they would update quickly.
I think I have written enough to spark a little thought about each ones responsibility to improving the security of the Internet. Besides, my brain is getting tired.
Now why don’t you go out and have fun, but do it safely.
Hi Don:
I see you have done your homework after your problem with the Russian hacker.
I echo with you about using the latest versions of your browser that has the latest security patches.
As you know, I’m always on the alert of most recent updates and publish them at my blog to let other users know what is going on. I fully appreciate the danger in visiting dangerous website as you correctly stated. We are all learning from your experience.
I can still remember the incident of Blue Frog that had to close its doors after an attach from a Russian spammer.
Best Regards,
Omar.-
Maybe I missed seeing it, but do you have a “router?” Those are firewalls that stop 90 - 99% of the things that whack computers on the Internet. It is a hardware firewall.
And, most hackers cannot penetrate firewalls so they depend on the user, you, to open the door and let them in. They entice you with all sorts of things. Sometimes people fall for one of them and get the works they didn’t really want.
Nowadays, the latest trick is to use images to get past the spam and virus filters at hosting sites, and those work. So we have to be extra careful. If I get hacked I should begin to think about what I did wrong.
Brookville Daily Photo
720 pixels
Hi Omar - Thanks for adding to the discussion. There should be a Blue Frog replacement soon. It really was taking a toll on the spammers. Not sure if it would have done any good with a hacker such as this one.
Yes Abe, I am behind a router, and my motherboard also has a built in firewall. A firewall will not help you have a browser that is vulnerable and you go to site that has been hacked and is looking for you. My site should have only been able to affect readers for about 8 hours, because when I got on and saw that my site had been hit, I took it off line.
You have been at this a while and it is unlikely that you would get hacked or hit with a virus, however there are many users that just turn on their PC and are very trusting.
In Panama, there is another problem. Many people buy a PC with the operating system installed by the builder. Many builders install a copied version of Windows and it will not receive upgrades to close the security holes. They are wide open to viruses and to being hosts for hackers.
Then there are users that never accept the security upgrades and are still using vulnerable browsers.
Thanks for dropping in Abe. Hope your wife is doing well.
Although this advice might not apply to the operator of a website, for the individual user the answer is simple: get an Apple.
Hi Tom. While I will agree with you that currently you are safer with an Apple computer, you shouldn’t think that there are no risks with an Apple either.
As I reviewed the security issues yesterday, I saw several that were related to Apple and upgrades that needed to be applied to close security holes.
My hosting provider runs on Linux which like Apples’ OS X, is a reasonably secure platform. Assuming that you are safe from hackers is the first step to being violated.
Also the advice on passwords is independent of hardware platform.
Very well thought out and written. Personally, I use Firefox as my browser. Of course, we know that Firefox can be sometimes vulnerable to exploits.
I especially like your advice on passwords. I would like to add that people should use different passwords for different things. And, especially use different and strong passwords for things like online banking, shopping, e-mail, etc. I always find myself trying out new so-called Web 2.0 services. With those, I try to make it a point to use a password I wouldn’t care so much about if it got “stolen.” Just a thought.
Anyway, thanks Don Ray for addressing this.
P.S. I like this background color.
Marie - Thanks for leaving your thoughts. Your additions to the passwords is good advice.