Hacked - Are you secure ?

Like it or not the Internet is awash with cyber criminals intent on gaining access to any number of internet connected devices for fun, theft of trade secrets, fraud or a grudge but mostly for financial gain. These devices can be a website or a shared folder on an external hard disc or a computer.

Once the device is compromised, the attackers will most likely plant a hidden backdoor and cover their tracks by deleting logs and utilizing proxies such as Tor.

Once access has been gained, they can traverse your whole directory structure to download and upload files or bypass any login prompts as they please in a matter of seconds. Emails and databases can be read at will causing untold damage and destroying your reputation.

Your website could end up generating literally thousands of spam emails, or could attract innocent surfers to your website but not to your pages but to their own pages they uploaded in a hidden location. These are used to mimic web pages from large financial organizations such as banks, Ebay or PayPal to harvest extremely personal information - all without your knowledge !

How do they gain access ?

  • Ironically, designers of websites are leaving publicly accessible files on servers containing all the details needed to gain full access
  • Malicious software on the users computer knows where to look for files containing sensitive information such as passwords
  • Incorrectly configured accounts of other website owners on the same host computer with access rights to traverse all folders - including yours
  • Incorrectly configured accounts on devices connected to the internet
  • Brute force password attacks
  • Social engineering to capture user id's and passwords, most likely through email
  • Judicious use of search engines
  • Insecure or weak Wi-Fi network targeted from drive by attackers

What protection mechanisms you need to put into place to defend yourself ?

  • Bearing in mind that drive by attacks can take a matter of minutes, regular auditing of files on the device is required to check for malicious activity
  • Just as a virus scanner constantly runs on a Windows computer, so too should your account be audited on a frequent basis
  • Unfortunately changing your website ftp password will not protect against other misconfigured accounts on the same host computer that already have incorrect access settings
  • DO NOT change your passwords, unless you know what account needs changing i.e. ssh, ftp, cpanel, Windows Logon etc. Prior to this the device used to change passwords MUST be clean and free of malicious software that might be recording your every keystroke and emailing it to an attacker
  • Regularly check your website http and ftp access logs for unrecognized access
  • Make it relatively painless for kind visitors to inform you of any problems by having a contact page on a website or a ContactMe text file on your device that you allow visitors to read
  • Configure your .htaccess and robots.txt files appropriately on websites – very important
  • Regularly check your .htaccess file for malicious code. Even though a website may be free of malicious tampering, commands in the .htaccess file could redirect visitors to some malicious server hosting your cloned website
  • Check your folder permission levels are set correctly, especially on your images folder
  • Make sure ALL files that should not be public are kept off the server
  • Any files containing passwords should themselves be password protected
  • On your own computer, do run malware protection software and keep it up to date with software updates when prompted – contact me for my own personalized service

What can I do ?

DJ Reproductions will conduct a risk assessment on your website or internet connected device and offer a report on what has been found along with mitigating measures to be taken.

My commitment

  • To seek mutual approval before testing begins
  • To help strengthen your network
  • To create a test plan and goals of the test
  • To abide by legal laws
  • To advise on vulnerabilities (if any) with full disclosure found
  • To keep results and ALL information totally private & confidential
  • To agree ground rules such as timing and off-limit areas
  • In the event of known malicious files and suspicious directories being found, mitigating measures will be taken

Do not be embarrassed by what is stored on the device, we can assure you that everything is totally private and confidential. In such instances, your security needs to be rock solid, don't hesitate in the slightest to contact me.

How much does it cost ?

Regardless of whether a website is a few files and folders or a major ecommerce site, the damage can end up being the same. As this is a manual process cost is dependent on the number of files and its complexity.

  1. Basic website – usually a dozen or so files – strictly one domain
  2. Intermediate website – up to 20 files – strictly one domain
  3. CMS website – Wordpress / Joombla – strictly one domain
  4. Ecommerce website – strictly one domain
  5. Root level access

Risk assessments start at £5 for students otherwise £20 for all others for initial survey and advise. Depending on initial findings, a quotation will be provided accordingly. Contact me to discuss your requirements in confidence.

This is all too much, what happens if I leave things as is ?

Attackers have zero emotional connection to the victim and can carry out nasty tasks such as;

  • Turn a webcam on and spy on you whilst uploading the video for public humiliation or ransom – this is a really big deal
  • Read your emails, that includes very private correspondence such as passwords & financial information – this is a big deal
  • Send spam emails from YOUR account
  • Store malicious files or host questionable images and videos on YOUR server

Neglected devices are most often used for the proceeds of crime using your identity and could affect your credit rating. For the sake of reduced spam and your personal identity kept private, we urge you to audit your devices – now.

If you are comfortable with these sorts of things, then that is your call.

Final word

  • Don't panic
  • Don't go changing passwords. Consider that every keystroke you type could be emailed to an attacker
  • Do clean your PC of malware, rootkits and viruses regularly
  • Do keep private data away from the Internet
  • Do a regular audit of your network security
  • Don't be complacent - act now !

Never underestimate the levels attackers will go to gain access. Protect your privacy and help reduce world spam.