By Michiel van der Blonk

The intention of a hacker (or better: cracker) usually didn't use to be financial gain, but the world is changing fast. Identity theft and spamming are becoming more lucrative for criminals online. In the mild cases the hacker just wants access to your system to show that the security system can be broken. In worse cases the hacker is malicious and deletes data, or steals your information. For the latter important data like client records can be compromised. Therefor it is always advised to purchase a secure digital certificate. 

Hacker profile

Website hackers fall in three broad categories:

• Criminals, whose intention is financial or other gain
• Show-offs, whose intention is hacker status among their peers
  
• Vandalists, who merely wish to destroy and corrupt sites for fun

All of these are considered so-called black-hat hackers. White hat hackers are doing the same actions, but never actually do damage. They politely contact the site owner, showing what could happen if a black hat hacker were to find the vulnerabilities. That is more like a neighbourhood watch telling you you left the windows open.

Risks involved

The risks of a website that is hacked can be quite scary, but it all depends on how much the business relies on the website for profit and data storage.

1. If you have financial data, especially credit card information either being stored or going through the website, you're at particular risk of criminal hackers trying to steal this data. After this you can also expect law suits from customers whose credit card or other private information is compromised.
2. If you take reservations or online orders and your site is taken down or 'defaced' (more on that later) these will stop working. That means from the time the site's functions are down until full recovery you will have missed business, which can add up to a lot if you have a busy site.

Types of attack

• Defacement - this is the most common attack. A site which is 'defaced' will usually show the name of a hacker group on the front page, e.g. "this site is hacked by evil-h@ckerz". Believe it or not, there are even online lists of hacker groups showing off their skills with links to sites they hacked. It's hard to prosecute these persons, since usually they are from e.g. Turkey, Russia, or China.
• Exploits - believe it or not, most software in use has security holes. If the software is not up to date, a hacker can sometimes get unauthorized access to certain parts of the site by simply using these known holes. The extent of the attack differs per security hole. Some give access to just changing one page, some give access to the admin panel, and some would even give database access.
• Server break-ins - these are very very serious attacks that are usually only done by seasoned criminals. A server is a computer that runs multiple websites. This means that if the attacker gets hold of the password of the server they are able to not only change all websites running there, they are sometimes even able to modify the system or run their own programs. A common program to run is a keylogger, which criminals use to get all keys typed on the server. That gives aways user names and passwords for other servers, so the criminal can expand their network. Sometimes it's not so serious and it's more a prank, but still it takes a lot of skill to even get into the server.
• DDOS - Distributed Denial of Service. This is much less common, and more professional. Usually famous websites are under attack of these, e.g. ebay.com, whitehouse.gov etc. The attack consists of hundreds to thousands of electronically hijacked computers that will simply bury the website under normal valid requests, thereby overloading the site, which will shut down when traffic gets too high. This is similar to running a gate down with hundreds of people.
• Script attacks (XSS and clickjacking) - especially on public forums, if the attacker can include his own code in a comment, a special script can redirect a link or perform a script without the user knowing about it. Modern browsers try to prevent this from happening by tightening the security level required to perform these actions. It is therefore important to use a browser that updates automatically, such as FireFox.
  
• Spoofing and phishing - Someone makes a site that looks just like yours and tries to get people to enter their credit card number for a 'reservation' or 'order'. Of course they will never deliver, and they will have your phone number and contact information on their site. You should have a digital certificate in case you take credit card information online!
• Social engineering - this is the least used of the attacks, but it's quite powerful. For example, somebody calls you and tells you they work with CaribMedia. They then ask you for your email address and password to 'check your account'. When you give the password, they now have access to your email account and can use it e.g. to send out spam messages, or get hold of sensitive data from your company. It is very important to verify that who is calling is actually who they say they are. If you cannot, or are not satisfied with the response given, do not give out the information.
• Spammers - these fall into two types. Spammers who spam your site or spammers who want to take control of your website / server to send spam. The former people are not really taking control of the site, but they do like to use guest books and forms to send out SPAM messages (unsolicited commercial email). The danger is that this can quickly fill up the available space, and not to mention it can damage your reputation if the email is sent from your address or site.The latter type are more dangerous and would rather go undetected so they will attempt a server break-in or exploit (see above) to use your server's resources to send spam.
• Disgruntled (ex-)employees - did you know? A new survey finds that nearly 9 out of 10 IT employees say they'd steal privileged or confidential information if they knew they were going to be laid-off tomorrow. Disgruntled employees, whether fired or still working for you, can do serious harm, especially if they are in the IT department. So keep them happy, listen to their advice, and pay them well. They are worth it, and you put a lot of trust in their hands. Of course if you do have a bad relationship with an (ex-)employee make sure that their access rights have been fully revoked. Don't let this happen to you.
  

Prevention

We take our own measures to stop hackers in their tracks, like

• regularly change server passwords
• regularly monitor availability (uptime) of sites 
• regularly monitor form and email usage
• making frequent backups of databases and website files
• test websites during development
• creating our own systems as much as possible, not relying on public software
• be careful with storing passwords
• we don't store anything that doesn't need to be stored
• Apply critical security updates to servers and software used on them
  

Here's what you can do yourself

• regularly change your CMS and email passwords
  
• don't give out passwords to other people. If necessary CaribMedia can create multiple email accounts, forwarding rules and aliases.
• visit your website every day
• let us implement an anti-spam solution for your guestbook or comments form
• if you get a call from someone claiming to be from CaribMedia asking for your password, and you don't trust it completely, simply say "I will call you right back"  and then call CaribMedia. We don't store email passwords, and you can also change the password yourself, so it's not guaranteed that we have your password. We can however always reset the password without having to know it.  
• Run a proper virus scanner daily, and be careful with any files coming from outside (usb drives, cds, email attachements, downloads). A virus could potentially get your passwords and other sensitive data and send this to the owner. This can include passwords for emails and the website itself.

Recovery

To recover from an attack

1. Call CaribMedia right away (phone: 5834144). We will assess the situation and take immediate action, once authorized by you.
2. If necessary, let important clients know that your website is not (fully) operational, and you will keep them informed.
3. Help us to trace back what happened and to recover the situation.
4. Legal action. In the most severe cases you can try to recover damages the legal way. But don't count on anything, since the masterminds are usually in some obscure country, and are very hard to track down.

So, make sure your IT department is running smoothly, and do the regular checks.