|
Looking Beyond Passwords: A
Hacker’s View of Your Website |
When I got started in the security of
adult sites back in 1995 it was all about passwords. Every time a
password would get posted to the web the exposed site’s server would
quickly get overloaded and crash. I remember writing complex scripts to
thwart password sharing and hacking attempts. I even went so far on some
sites as to generate random passwords instead of letting the users
choose their own passwords, which made things even more secure. We used
all available methods to keep our sites secure, and it worked; two of
the highest-profile adult sites of the time were never hacked or
compromised. Ten years later, and webmasters still think it's about
passwords.
Adult webmasters seem to spend so much time worrying about people
stealing passwords that they forget about the big picture. Your website
is comprised of HTML, some scripts and code to make the site work (the
"web application"), a web server, an operating system, a whole bunch of
other applications and scripts, and of course the hardware that makes it
all work. You know all of this, but it's worth talking about.
How much of that list is really secure? Do you even know? If you do
think it's secure, is it secure enough? Probably not. Maybe you use some
IP filters or "firewall" software to limit access to the server, but of
course you have to allow port 80, port 443 for SSL/HTTPS, maybe access
to your database for remote management, port 22 for SSH, maybe 21 and 23
for insecure protocols like telnet and FTP, and don't forget about 25
for SMTP email. Now your "firewall" looks more like swiss cheese. No
matter how cautious you are about writing secure scripts and code,
unless someone else with a trained security eye has looked through your
code, there are most definitely some holes to be found. But hey, you
have a script to keep people from hacking passwords.
It's about the big picture
A hacker is like a drop of water, always looking for the easiest route.
Why should a hacker spend 50 hours trying to crack a password when he or
she can exploit a hole in your server and gain administrator or root
access in 5 minutes? On the average website there are dozens of ways
that a hacker can take down your system, steal or corrupt data, or
otherwise cause damage to your site and your wallet.
You’re in luck though. Most hackers are interested in one of two things:
fame or money (or both). Similar to graffiti artists, many hackers will
deface a website just to get their name known. Others are more
interested in financial gain and will look to steal your customer’s
credit card numbers or transfer money out of your accounts after hacking
the access codes.
The risk assessment
Should you wait until you get hacked and then spend the money and time
to fix the holes? Maybe, but let me show you how to decide. By doing a
risk assessment you can let simple math help you decide whether or not
it's worth waiting or acting now. Let's take this example:
You get hacked and thousands of credit card numbers are stolen. The
hacker posts a few samples on the internet and contacts you looking for
$25,000 to give back the rest and leave you alone. The hacker also
contacts the press about the fact that your credit card list has been
stolen. You can either pay the $25,000 and hope for the best (good
luck), or you can take the hit. You know that every one of those credit
card numbers is going to be cancelled and the customer will get a new
card. Do you think you will ever get them to give you another credit
card number? Do you think when someone comes to your website in the
future he or she will remember the name of your site from the news and
move on to another site? What would that cost? Thousands of lost
customers and possibly the need to change the name of your site and
rebuild your entire reputation online. Is that a $100,000 decision to
make? $250,000 ? More?
Now that you know what it costs to ignore security, you can make an
informed decision about what kind of money to put into securing your
website. Here's the risk decision: should you pay a few bucks to a
security expert to lock down your systems, or should you take a $250,000
risk every day? It's your call, but now you know how to figure it out.
How many hats should a webmaster wear?
One of the biggest mistakes that a webmaster makes is trying to do
everything. Having been a webmaster and web project manager, it's very
easy to tell your boss or investors, "Sure, I can do that," when you
know that you really have no clue what you are doing. With most things
the boss asks you to do, that's the right attitude. Security is a
different story.
Security is something that should be left to trained experts. Peace of
mind is a wonderful thing, and if you go to sleep worried that someone
is going to hack into your website, something is wrong. Hire a
professional, it's worth the money. That's easier said than done in your
business though. Historically there have been no qualified security
experts that wanted to get involved in the adult website industry; until
now.
I started iBouncer.com
to bring the highest levels of computer, network and application
security to adult websites. We have spent over twenty years providing
the highest levels of computer, network and application security to
banks, internet companies, insurance companies, entertainment companies
and more. Now your adult website can lock in the high levels of security
that you need in order to have peace of mind. |
|
