Small Business V. Hackers
Is it just me, or is the world ending? Hackers recently took down the CIA website and broke into the United States Senate’s public. Last month it was Sony’s Playstation network. Before that it was the still-at-large group of rogue hackers known as Anonymous.
Hackers have been around for as long as there have been computers and networks to hack. But the problem seems to be escalating. More and more high profile networks and databases are being compromised. All the more troubling is just how much of our personal information some of these databases have, often without our realizing it. Online privacy is almost an oxymoron these days.
Individuals are always at risk. To be alive in the world today is to have information about you floating around somewhere in cyberspace. Things like cyber-terrorism and identity theft have been scaring purple-haired old ladies for over a decade. But what about Small Businesses? Hackers want credit cards from people, and long lists of confidential data from big corporations, right? What would they want with your small business site?
The answer is complicated. There are plenty of reasons your site might get hacked, and it may have nothing to do with your business. But part of the answer is a matter of simple logic: Small business sites often have less security precautions in place against hackers, and are therefore more vulnerable to such exploits.
USA Today recently reported a new kind of attack that a lot of small business websites are falling prey to. It’s an updated version of “popular style of attack known as mass SQL injection, the most prominent recent example of which was the so-called Lizamoon attack last March that corrupted an estimated 5,600 websites, according to Google researcher Niels Provos.”
What the attack does is insert malicious java script code deep into a company’s site. The code does a couple things: it downloads malicious programs to your computer–and unlike the popular “trick you into downloading spyware” method, this one doesn’t need your permission. Secondly, it serves up more malicious code to new sites that are infected by the attack. So these sites are never communicating with “blacklisted” websites–a dead giveaway that there’s some sort of viral infection going on. Instead, they’re communicating with other, infected, reputable websites. Until, of course, Google discovers your site is serving up malicious code and blacklists it, at which point, your website is banished from the search engine. Pretty ugly, right?
Security firm Amorize calls these attacks “mass-meshing.” Amroize estimates that anywhere from 20,000 to 30,000 such sites may be infected. They’ve “released a sample list of 700 websites thusly corrupted by the attackers, of which only 20% have been detected and blacklisted by Google based on this particular attack.” None of the sites are getting the kind of traffic that the recent barrage of high-profile cyber attacks have been targeting. Instead, they’re smaller sites like fashionwatchesjewelry.com and greener-gardens.com. DO NOT GO TO THESE SITES. The mere act of going to them will get you infected, according to Amorize’s chief technical officer Wayne Huang.
So what can you do about it? According to USA Today:
At the moment, there is not much the average small or midsize business owner can do to defend against this wave of mass-meshing attacks. It’s not trivial for a non-technical website owner to determine if his site is infected, nor is cleaning up simple.
And to add insult to injury, the mass-meshing attackers are equipped with tools that can quickly re-infect any website that was cleaned.
If you suspect your web site is corrupted, Huang advises changing the administrator password for the site.
Bummer. But, believe it or not, this isn’t a call for general panic. It’s to make you aware of the kind of risks you face as a small business owner and operator. While this latest and greatest threat may be, for now, unpreventable, there are a number of precautions you can take against the many cyber-threats that are out there.
Earlier this year, Intuit laid out a list of ten ways to protect yourself, and your site, from hackers. Among them are: Only allow routine attachment types (#5), Purchase a business class router to protect your company’s internet connection (#7), and create a regular backup of files, then store them securely offsite (#8). Some of these ideas may just seem like common sense, others may seem like unnecessary precautions. But common sense and precaution are the two things that just may save you from the time-consuming, unwelcome task of recovering from a cyber attack. Remember: small and midsize businesses are not immune to hackers. In many cases, they’re more vulnerable to them than the bigwigs.
The internet is rife with advice for preventing or detecting hacker invasions. I strongly advise that you take some time to brush up on the latest threats, and how to protect your company from them. While it may seem like a pain in the butt, it pales in comparison with the clean-up required after-the-fact.
I’d like to remind you that, within the last year, this very blog was hacked. There were a number of highly exploitable weaknesses in our security, and a hacker managed to easily sneak in and temporarily commandeer the site. It was difficult, but it could have been a lot worse. We were able to recover our site and then put into effect some added security precautions. I consider us lucky that we were able to recover from the attack with relative ease. Some of the more malicious attacks can be virtually irreversible.
The smartest thing you can do is take action before there’s a problem. Make sure all of your systems have up-to-date antivirus software installed, and keep abreast on the latest threats. You’ll thank me later.
To finish things off, watch this YouTube video to learn an interesting technique you can use to make sure that you aren’t unwittingly hosting spam links on your website. A lot of the time, links like this can be hidden deep within your site, and unless you are regularly inspecting every inch of code, you might miss it.
Thanks for reading. Stay safe. Oh, and follow Why Didn’t I Think of That?® on Facebook.