June 17, 2013

Internet Security Today

Ever since the Sony PSN attack, groups have been hacking many web sites and online services on almost a daily basis. The attacks have mostly been Distributed Denial of Service attacks (DDos Attacks) and actually hacking into servers and retrieving peoples personal information, and in many cases, publishing it publicly on the internet for all to see. I have been following this news since day one, and I know most of what has been done and who the major player are. What worries me is how little mainstream news coverage this is getting. The repeated attacks on Sony, the various government websites that have been shut down, and the literally tens of thousands of peoples email addresses and passwords posted online for all to see, and I haven’t heard a peep from mainstream media. What bothers me about this is how many victims there have been, and how easy it is to not be a victim of these attacks.

 

Most of these attacks are simple SQL injection attacks. That is what makes these attacks so frustrating for me. Passwords should ALWAYS be encrypted, and websites should be designed so that SQL Injection does not work. In my (albeit humble) experience, most small business websites and websites made by small business are both protected from simple SQL Injection attacks AND encrypt passwords. The reality of a situation is that a web site, much like a house, can always be hacked given enough time, resources, and expertise. One of the keys to good security with websites is to reduce the hackers ability to steal sensitive information. This is done by not storing credit card information, and protecting peoples passwords with one way encryption.

However, if mainstream media would report on these attacks, people would be able to take steps to protect themselves. The easiest thing that someone can do is to not use the same password for multiple services. This sounds like a lot of work, but in my (again humble) opinion, it is preferable to having one of the websites that you subscribe to hacked, and letting the hackers have access to every other service that you use on the internet. Also, change your passwords regularly. Even if a hacker gets your password, once you change that password, it is now useless to them. Lastly, use a safe password policy. Don’t use your last name, company name, or anything else that is easy to guess.

If you are a looking to have someone build you a website, a content management system, or an eCommerce solution, ask about security. Are their websites sensitive to the more common hacking techniques? Do they encrypt sensitive information? Do they have a security policy? These are all important questions to ask when seeking the right web developer.