Web Security Stories to scare you in the right direction.
Recently I presented a session on web security at Joomla Day Chicago and to prepare for this our PM team and I had the pleasure to meet with the mastermind developer of the SecureLive software and security specialist Jeff Brown as well as the acclaimed author of the “CMS Security Handbook” Tom Canavan. We shared many stories about client experiences and what our clients and their customers should be concerned with when it comes to security. I think the most important realization here was that there really needs to be more awareness on the amazing capabilities of hacker networks and the potential liability an average Joe website owner could be responsible for.
I want to share reasons for paying attention to web security that should scare you… because, it sure scares me and I am more fortunate than others to have folks on our team that are real security pros. The real life capabilities of some of the crafty hackers and what they actually can do is nothing less than amazing. In this article I want to help you identify where you can find good information on security and offer a couple solutions you can consider for protecting your Joomla CMS web portal as well as reducing risk to you and your company.
Crafty hackers steeling information and leaving you with the liability.
We had a client that hired us for some development work and then decided to have another in-house resource take over the work we had been doing. I had continued to recommend to them that they needed to improve security on their web site by using our preferred security solution SecureLive (www.securelive.com) or at least something to add better protection than they had. Well they did not listen to this advice and of course they eventually got hacked and oh did they get a doosie. They were still hosting with us so they called me in a panic and I referred them to SecureLive for their clean-up service. What we had discovered is that a very crafty hacker had found a way to inject a script that allowed them to get a script in the root of their web site which then allowed them to put in another script which allowed them to access not just the server but if the crafty hacker wanted to, the entire cloud platform where they were hosted. Oh and by the way this was done in a way that it (the script) could live there virtually un-detected because it was designed to not let activities show up in server logs. If we would not have caught this in time this could have been a major catastrophe since every bit of user information or credit card information on the entire cloud system could have been compromised. So this brings up the question whom would have taken the hit for the results of this vulnerability? The client! Yes that is right you the business owner of the web site. Most hosting companies do have a sense of ethical responsibility to protect their customers but when the rubber hits the road they will hold you responsible since it came in from your web application and domain.
Remember all of the fine print you agreed to when you signed up for hosting? Well that is what is was for to protect the hosting company from what is ultimately your responsibility. Regardless though as the middle agent on the hosting environment we would have been kicked off the ISP as well and most likely shared in responsibility even though we had no active role in what caused this and took plenty of proactive steps to prevent and repair it.
So now take this a step further. What if someone else got hacked and then a cyber-criminal decided to steal information about you or your customers and you had no way to trace where they came from or how they got in since they came from another website that shared some of your server resources? This raises so many questions we could write a book just on this case study.
In the end our development team ended up writing some very specific code to protect us from this type of “hack” and we made it mandatory for all of our hosting customers to use SecureLive. We even built a whole hosting platform around protecting our clients from this type of cyber threat.
The rub with web security and how important it is gets even more interesting when you consider another story. There is a new buzz word out there in the cyber-crime world known as “Google Juice”.
So what does this mean? A recent client came to us with this problem; A hacker injected some code into a web site that allowed them to alter the links found with Google search results. This sound simple and maybe like not a big deal but… [pause] …let’s explore this concept.
If you are in the web marketing space your company spends tons of resources (money and time)writing articles, monitoring PPC, generating press releases and perhaps many other activities trying to generate inbound search results, leads and ranking for your web site. So when some hacker comes along and takes these results from you and can sell them for profit it could get quite frustrating. Then since the links in the results have nothing to do with your content all of a sudden it is flagged as “spam” and Google and other search engines penalize you for the results leading to content that is not relevant to your search terms thus making your investment worthless and actually costing you more money to recuperate from the damage, plus the cost to clean out the hackers code. And by the way once you have a problem like this on your site it takes a while for the results and associated links to be updated so rebuilding actually can take longer than it did the first time. I ‘ll bet some smarty pants in the social sphere would not hesitate to trash you a little bit and perhaps some groundswell activity happens causing more damage control. I think you can see the grim picture and aftermath this could cause. All n all this can be frustrating, expensive and embarrassing all wrapped up in one.
Food for Thought:
With the two scenarios above this gives you a picture of how web security could cost you a lot of money, time or even your business. We recommend using a security tool such as SecureLive which will provide many utilities for managing your security while blocking and monitoring the attacks on your site. We took over an account for a large publishing company in recent months that had been riddled with continues hacks and subsequent site crashes for years. Since we installed SecureLive they have not been hacked once and when we audited the log of attack email notifications over a 6 month period we found they had over 64,000 attacks that were blocked during this time period. There are other solutions for security but for any Joomla CMS portal we feel this is the best option in the marketplace. One other important thing to mention is that when we compare the top three open source CMS systems they all have around the same level of cyber threat activity. What this means is that there are many other considerations you need to keep in mind related to your security strategy in addition to the configurations or choice of CMS platforms. This is why we recommend getting a copy of Tom Canavan’s book “CMS Web Security Handbook” (Check Amazon). He covers many other factors you need to consider related to security that are outside of the scope of your CMS it-self.
Use a security management and monitoring extension for optimizing your CMS environment and get good information on what steps and action plans will maximize the effectiveness of a solid web security strategy. Work with a support company that has a clear understanding of security and follow their advice even if it costs you a little more up front it could save you considerable more on the back end of a catastrophe.