Monday, February 5, 2007

Web Site Security Affects You

1987 - Mitnick invades system at Santa Cruz Operation. Santa Cruz police travel to Los Angeles to search apartment where call coming into SCO originates. ( …) Mitnick's representation bargains felony charge down to misdemeanor. Sentence: three years probation.

At SCO, Mitnick found his way in via “war-dialing” onto a UNIX system. Did he crack root? No, root on this system had no password at all… Kevin wasn’t after SCO, he wanted UNIX source so he could get even deeper into Ma Bell’s computers.

20 years later, another hacker discovers a system they can access, only this guy isn’t after big business, he was after YOU.

Last week, Websense discovered that several Super Bowl related web sites had been hacked. According to news reports, these systems were compromised on or before January 26, but engineers at the affected sites were not alerted until February 2nd. For a period of a week, a malware package installed on the victim web server attacked every visitor to the site.

You might not discover “Hackistan” but Hackistan wants to discover you. I intend no offense to my friends from South East Asia, but I like this idea of Hackistan (more on this later).

The crooks are making the Internet their own. Gone are the days when Kids broke into systems to prove their l33t skill, the game is all about money now. And the money is getting very very big.

We can only guess how many systems this attack affected. Enough however, that it appears that the malware server in China was failing under load. Get the irony? The bad guy’s computer was crashing because he had too many victims phoning home.

This hacker was not after fame. No vandalism or political messages, the web sites continued to operate as normal. By the way, I don’t consider people like this to be hackers… this person is a crook, a perpetrator after your login, passwords, credit card info – anything and everything he could get, so he could sell your identity or rip you off directly.

Solution? Simple:

  1. If you have a computer, keep it patched and use a personal firewall.
  2. If you have a web site, monitor the hell out of it.Find someone who will watch your web site and the entire infrastructure it relies on. Don’t settle for a once a quarter/month scan. Find someone who looks at your web site the way the hackers do. Pay them to check it now and check it every day, 365 days a year. This is not a choice any more.

No comments: