Value of a Hacked Website

After our recent Data (In)Security post, we fielded many questions from owners of small sites and blogs that basically boiled down to one common theme – I’m not Target so why would anyone hack my site?

Thanks to news coverage there’s a common misconception that attackers are only after banks, large companies, or critical infrastructure. No doubt we live in a world where big names get big headlines. However, a more accurate account of the assault on small business websites comes from industry reports. Case in point, Verizon 2013 Security Report cited 71% of data breaches affected companies of 100 employees or fewer.

The attacks are driven, in large part, by an ever-growing number of websites. In the past 3.5 years alone, the number of active websites has doubled from 90 to 180 million (according to Netcraft). This rapid increase in the creation of individual and small business websites has produced a threat landscape that mimics that of the late 1990s and early 2000s. It was during this period that broad-band access boomed  – creating millions of new targets (PC owners) with limited time to understand the risks they faced.

In a snapshot, the above image illustrates time-tested reasons why criminals target small websites. The image is based on the infographic Value of a Hacked PC, created by Brian Krebs. If you’re not familiar with his work, check out his website, Krebs on Security. Krebs’ security coverage unwinds cyber-criminal activity in near real time and often reads like a Tom Clancy story.

Unfortunately, the number of ways criminals can monetize your company’s website is too vast to cover in one blog post. Over the coming weeks we will drill down on specific threats. For now, suffice it to say, no site is too small to be victimizied.

I’ll sign off with this friendly piece of advice:  To everyone using a cms, do yourself a favor and update to the latest version!


Automatically Blocks Shellshock Attack Vectors

Shellshock is out, and it’s exactly the type of threat that reinforces the importance of real-time, proactive, automated security.

6Scan has developed solutions to protect our customers’ websites against Shellshock attack vectors and we will continue to automatically update our active subscribers as new vectors emerge.

Through our patent-pending automated website security we are able to define common attack vectors and filter out malicious traffic designed to exploit websites that are exposed to this vulnerability. As new attack vectors emerge we will continue to update our security in real-time.

Shellshock details

The vulnerability comes from a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests. The vulnerability is summarized here.

The Guardian website has a good non-jargon write up and, as usual, Krebs on Security  has good coverage including this warning:

“The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.”

Stay safe.