Who Defaced My Website?

We recently covered an article about a number of Zambian websites belonging to some big companies and government departments being defaced and getting hacked but we have no idea why it happened or how it could have been prevented.

From a cyber security point of view, a number of preventive steps could have been performed by those tasked with building and maintaining these sites. As an independent observer and security professional, I know that a lot of Zambian websites are insecure and I have helped a few friends by letting them know that I was able to log in to their administrator accounts within minutes. If I, a mere mortal can do that, then serious hackers can definitely do some serious damage.

So here are 7 things every Web Admin, Web Builder, Systems Admin should know.

1. Passwords:

It has become a common trend for website developers to use software such as WordPress, Drupal and Joomla to develop websites, simply because they come with some fancy templates that will make any novice web developer look like they have been doing this all their life. The issue here is that when you use these applications, be sure to make all your admin passwords strong and secure and store them as encrypted values. DO NOT set up a strong password but save it in a word document saved on the same server. Remember that Passwords are like Underwear; Change them often and don’t share them with anybody.

2. SQL Injections:

Please learn then and know how to prevent them. SQL Injection is code used to circumvent access controls on data driven applications. When you setup a website that has data residing in a database, it is very easy to insert rogue code into your sql queries that could be used to change or delete data in your tables.

3. Software Updates:

Most important of all the things you need to do, is update software. Operating System software as well any applications being used for your website need to be updated as soon as patches are released by the creators of that software. Software vendors release security updates frequently to keep up with the ever so evolving threats.

4. Error Messages:

We all love error messages and we want to be as descriptive as possible to make sure the user understands what has happened and how they could resolve it without needing to call you for support. You must, however, take caution not to give too much information. Take for example a user entering a username and password to log on and they have the right username but wrong password. You want to inform them that the credentials are incorrect but DO NOT tell them that they got the username right and the password wrong because that makes the hacker’s work half way easier. They now know that they only need to work on guessing the password.

5. SSL:

SSL is a protocol used to provide security over the Internet. You must use a security certificate whenever you are passing personal information between the website and web server or database.

6. Website Security Tools:

Invest in some, they will save your life; in security we refer to these tools as Penetration Testing software. There are many vendors that provide commercial off the shelf software for testing your website against penetrations and some free options as well. Examples of free scanning software include Nessus and Netsparker.

7. File Uploads:

Sometimes it can be nice to allow users to upload files to your websites but from a security standpoint, this is never ever a good idea. If you absolutely must have file uploads enabled, then you must always treat each file as suspicious and have some extensive scanning engine to make sure these are not viruses or scripts masquerading as innocent files.

So remember that everytime you are asked to design a website for your company, you should not rush to just making it pretty. Security should always be your top priority when designing websites and providing content to the general public. Hire a security professional to assess your security posture.

©Mwaba Shannon Chisenga, M.Sc, CISSP.

Image credit: Hack News