The era of cybercrime: Why businesses must learn how to protect their online systems and keep up to date with modern security.
Adam Milton-Barker | Apr 27, 2015 | Web Apps, Security & Hosting | 3018 In 2014 we were witness to a massive rise in cyber crime and critical security bugs. This year unfortunately the problem continues to rise and is getting more and more out of control. One of the major preliminary issues to overcome is that many businesses don't understand or even care about security, and this is the first major problem to overcome in the battle to create a safer internet. Over the last few years I have spoken with people about online security and to my amazement, and horror, I have come to realize that keeping visitors, client and staff data safe is not a priority for most businesses. The truth is that in this day and age if you don't understand or care about security, then you should not be handling peoples data or providing online services. Some of the most common things that people think is that security doesn't apply to them, no one would want to hack them, it is too much trouble to learn about modern vulnerabilities and protect against them, they don't have time and it won't happen to them. None of the above are good ways to think if you want to run a business that is responsible for handling client and staff data or providing online services to the general public. Everyone is at risk and business owners that do not keep up to date with modern security implementation not only put themselves and their staff at risk, but also their clients. Even if you are not storing data on your website, you run the risk of infecting visitors to your website if you do not use modern encryption methods. ------------------------------------------------------------------------------------------------------------------------------------------------ Here are a few of the main security issues and hacks that have happened over the last year: 2014: Heartbleed Heartbleed is a cyber vulnerability which is a global issue that affected millions, and probably billions of people. The bug was a vulnerability in a cryptographic software called OpenSSL one of the most commonly used forms of encryption used on the web, a lot of websites you visit that had https in the address were affected by this bug (By now all websites should use encryption, if a website doesn't use https you should not use it, apart from anything websites that do not use encryption are now penalized by Google). Still today I am sad to say that I have tested sites that are still vulnerable to this bug. 2014: ShellShock ShellShock is a bug that could of been around for the last twenty years. ShellShock uses Bash scripts to communicate with vulnerable servers. Once they have accessed a server they can launch programs and basically do a lot of bad stuff. Although this bug targeted at only web admins and hosting companies, it is a lot more dangerous than The Heartbleed Bug. 2014: Poodlebleed The Poodlebleed bug is a bug that allows MITM (Man In The Middle) access to data sent around affected websites that use SSL 3.0. Poodle stands for Padding Oracle On Downgraded Legacy Encryption and allows naughty people to view encrypted data over what is supposed to be a secure connection. 2014: Microsoft Schannel vulnerability The Schannel vulnerability was a bug that was found in the Windows Operating system that affected every single Windows computer in the world. The bug allowed remote code execution meaning that hackers could put what ever code they wanted on your computer and execute it. 2014: Sony hacked In late 2014 Sony was hacked a number of times. The hackers retrieved addresses, email addresses and other personal information including Social Security numbers of over 3,803 Sony employees and leaked them online. Members of staff received emails threatening them and their families: “Please sign your name to object the false (sic) of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.” In addition to this a spreadsheet of salaries was leaked online, five Sony films including Still Alice and Annie, and thousands of passwords were stolen from a folder stupidly named passwords. 2014 / 2015 Wordpress hacks galore I believe that Wordpress is a very dangerous system as it gives people the impression that anyone can build websites. Website development should be handled by professionals who are trained to make sure that systems are well built and secure. A recent example of hacks made through Wordpress vulnerabilities are where compromised WordPress sites were exploited by the Nuclear exploit kit which injected them with an iframe that redirected unknowing customers to a Pirate Bay clone site. Another more recent and more worrying attack was announced by the FBI after a number of news organizations, commercial entities, U.S Federal/State and Local Government, and also Foreign Government Wordpress sites were hacked by people that are said to support ISIS. 2015 White House hacked Earlier this year Russian hackers broke into the White House system and stole details of President Obama's schedule as well as emails. The hackers were able to infiltrate the White House system using a kind of phishing attack that broke into a State Department network giving them access through to the White House system. ------------------------------------------------------------------------------------------------------------------------------------------------ Until we become more advanced in quantum physics, there is no way to make a completely un-hackable system, but there is definitely ways that business owners and organizations can help to keep security to its maximum potential and reduce the risk of being broken into. If you don't run your own website then the place to start is your developer. Ask them what security implementation they have put in place, use the link below to test your website and insist that your developer takes immediate steps to secure you, your staff and your clients/visitors. Ideally if your website is still vulnerable to the above attacks then you should ultimately find a new developer. If you are building your own websites and are not skilled enough to protect the systems you build then you should be handing over the reigns to a professional company. It is no longer acceptable to put your staff, clients and visitors at risk whether it through negligence or ignorance. If each individual/business/organization takes steps to ensure that their online services are secured as much as possible with today’s technology then it will help to build a more secure future for us all, looking after your own bubble will help bubbles around you, the more protected bubbles, the stronger the internet will get. If you check TechBubble and any sites I have developed over the last few years you will see that they all have a security grading of A+ which I am proud to say is higher than Googles security report. One thing is for sure is that without modern security and encryption, you are willingly putting people at risk. Don't put it off any longer, take some time to get secure or spend some money and get a professional to help you. Do you really want to be responsible for putting your clients and staff at risk? I doubt they would be clients and staff anymore if you were responsible for putting them or their finances in danger. If everyone starts now the future will be more promising. TEST YOUR WEBSITE HERE: https://www.ssllabs.com/ssltest/