Thursday, May 20, 2010

So You Think Your Website Won't Get Hacked

Many website owners believe that by not having a high profile website, cyber criminals will not hack their website. This falsehood has lead to many websites being taken down and in many cases, the complete loss of the online business.

One of the hard realities of the internet today is that you need to secure your website before the first time you connect them to the net. Many new websites have, within minutes of being connected to the Internet, been hacked. This effect was caused not by hoards of hackers, but instead by scanning programs constantly searching the net for this weeks favorite vulnerability.

Most of the attacks that a website will experience range from random, unstructured episodes to the well-organized and targeted variety—both of which tend to be automated. Automated attacks can vary in their relative complexity, with attacks being initiated against a target or opportunity directly, or (more likely) through several systems that may not even know they are being used as instruments in the attack. Estimates vary on how many systems may currently be compromised in such attacks, but it has been found that the systems used are present in all kinds of situations—from the small business to the large corporation.

Who then is typically responsible for carrying out such attacks? In most cases, these automated attacks are launched by those with the lowest skill levels of the hacker community—those known as script kiddies. Script kiddies typically don't have the knowledge of those higher in the hacker community have, but that doesn't mean they can't be dangerous. When script kiddies launch an attack, they typically do so without realizing the results of their actions, such as potentially crashing systems or inadvertently performing a denial of service (DoS). These individuals fit the profile of a newbie who finds a new application, such as a scanner or password cracker, and runs it against large swathes of targets looking for an "interesting" result.

It is believed that the vast majority of the "hacker" underground is made up of these script kiddes who have only been using computers for a few years and who really know comparatively little about them. These are people, usually kids, who are attracted by the seemingly magical powers that hacking gives them. Since they know so little about computers, they don't really known how to hack themselves but instead follow recipes or "scripts" developed by real hackers. Most of these scripts are easy-to-use programs whereby the "script-kiddy" simply enters the IP address of the victim.

These script kiddies are a subset of hacker-culture. They are are usually young, unknowledgeable, curious and destructive. Unlike 'hackers' who attack a system for profit or personal satisfaction, script kiddies do it because they can. What makes a script-kiddie different from a hacker or an advanced user is that a hacker or advanced user, commonly has a vast understanding of what he or she is doing, explores and locates the security vulnerabilities, and/or creates the programs or scripts that others may use.

Lacking the knowledge to write their own exploit code (or understand the code written by others), script kiddies turn to pre-made tools that make exploits click-a-button easy. Unlike a hacker, who chooses a system then scans it for vulnerabilities and exploits them, script kiddies learn about a specific exploit then look for any site, system or server that is vulnerable to it. They also tend to be indiscriminate and may try to compromise any website on the Internet they can reach.

This is what makes attacks by script kiddies dangerous to small businesses. They attack randomly, so even if you think that there is no one out there who would be interested in compromising your website, there is a whole community dedicated to searching and scanning for anything to exploit. The adolescent demographic that makes up the majority of script kiddies are searching for power - not money and certainly not a cause that they feel is worthy. Once they find power, they exercise it. Most of them wouldn’t be able to commit a crime (let alone violence) in person. Attacks on systems however add a layer of separation that removes both the stigma and the fear from what they do. They see no connection between their actions on the web and the harm they can and do cause.

Script kiddies tend to select their targets based on ease of access and without regard to a system's relative importance or even whether that system is prone to crashing or other instability as a result of the attack. Also consider that in certain cases, script kiddies may post their results or actions on a newsgroup or blog, letting others know how and against whom they perpetrated their attack, thereby making you a bigger target. With a system compromised, an attacker may choose to pick any of a number of actions on the "menu," including attacking other systems or placing utilities on the system with the intent of waiting for valuable data to float by.

The attacks that script kiddies launch may look on the surface like those more organized groups, or even what the criminal element employ. In some cases, script kiddies are themselves pawns of organized crime or other organizations that might be looking to make financial gains.

Although most good hosting companies will protect their servers (and usually your site to some degree) it’s important to understand that you are responsible for your own site.

Script kiddies, unfortunately, are often just as dangerous as exploiters of security lapses on the Internet. The typical script kiddy uses existing and frequently well-known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other websites on the Internet - often randomly and with little regard or perhaps even understanding of the potentially harmful consequences.

While a hacker will take pride in the quality of an attack - leaving no trace of an intrusion, for example - a script kiddy may aim at quantity, seeing the number of attacks that can be mounted as a way to obtain attention and notoriety. Script kiddies are sometimes portrayed in media as bored, lonely teenagers seeking recognition from their peers.

Because of the ease-of-use of these programs, there are hundreds of thousands (if not millions) of script-kiddies on the Internet. This has generated a certain "background-radiation" on the Internet. Any website connected directly to the Internet with a high-speed connection will likely see a fair number of attacks against their system from these script-kiddies.

There has often been a tendency among System Administrators to discount the danger of script kiddies, and this can be a misleading and dangerous thing to do. Script kiddies can have a much greater capability to cause problems then their skills alone would indicate.

As mentioned previously, most of the time script kiddies will find their victims by using scripts that conduct automated searches and attacks. These scripts written by skilled crackers or modified by some less skilled person are traded via IRC, FTP sites, web sites and other methods and can spread through the net with lightning speed. Soon after a new exploit is discovered and a script written for it, you may find it being used to attack systems all over the world.

With thousands of script kiddies who live for the next crack who needs enemies? At least if you had someone gunning for you, you could have some idea of who was after you, what they could do etc. What the script kiddie lacks in skill he/she can make up in time and computing power. Each website they crack adds to their arsenal for the next scanning attack.

The process the script kiddies use in scanning for systems to crack make the attack less personal and more abstracted. It can be harder for them to identify with their victims and easier for them to do damage or destroy their target without feeling the twinges of conscious or remorse for their actions.

The majority of script kiddies prefer "playing" with unprotected sites. Their programs usually only work if the site is unprotected, or their security is really out of date. These kind of individuals usually can't do anything to a reasonably protected site. Since they are trying to feel important: if they (or their robots) can't get in immediately, they'll just go elsewhere.

The only way to win in this game is to stay one step ahead of the hackers, and ironically, this is easy to do with script kiddies. They won't dig deep into your system, they won't be persistant and they won't focus, but all you have to do is leave your website unguarded from the latest vulnerabilities and they will be on your system in hours (if not minutes).

You should now hopefully realize that the most important aspect of operating an online business is keeping your investments secure at all times. The internet is a very dangerous place, especially for business that conduct hundreds or thousands of dollars in eCommerce each and every day.

It is of the upmost importance to remember that, any website connected to the internet is automatically vulnerable to hacker attacks, and will eventually be attacked. Thinking your website will never be attacked is a falsehood that could destroy your website and your online business.

If you want more information on plugging the security loopholes in your website, please visit the following website: