Throughout lockdown we've noticed a steady, yet unsurprising, increase in the attempts to force entry to the websites we've designed and built. Reassuringly, none of these attempts have yet been successful. The inboxes of our Customers have witnessed an increase in the volume of email claiming to have hacked their website and plundered the data within. Reassuringly, all of these attempts at extorting bitcoin payments are baseless scams. Hackers and scammers are treating lockdown as an opportunity to try their luck with you and your website. So this blog explains how a zero trust policy helps us anticipate, challenge and defend.
In Mãori culture, the haka is a ceremonial dance or challenge; perhaps the most widely recognised version of which is 'Ka Mate', as performed by the New Zealand All Blacks. A haka may be danced as a welcome, a celebration or a challenge and so, I guess, in deciding which variant of the haka to perform, it's essential to know whether the recipient is a friend or foe. In the face of a rise in website activities synonymous with hacking, this blog draws inspiration from the haka to explore how we monitor and respond to online threat.
Please, come on in! Sit down, make yourself comfortable - we don't stand on ceremony here. The days of the website welcome (splash) page are now long-gone. Splash pages were index pages at the start of a website, commonplace at the turn of the century, which welcomed visitors to a website with animated company logos, marquee text and audio fireworks. You may now look back and laugh at these welcoming, introductory pages which attempted some kind of roll-out of the ceremonial red carpet but I do think that in the passing of time we've lost something.
It may come as a surprise to many that it will come as a surprise to some that not everybody enters a website through the front door. Thanks to Google and Search, a visitor to your website can make any page the first page of their visit. You don't ask who these visitors are, you don't ask for their credentials and you don't ask for references before inviting them into your website - you have no idea who goes there. We roll out a welcome to everyone and everything.
Yesterday, just 8.71% of the hits upon one of our websites were thought to be human and 50% of hits were of clear malicious intent.
The websites which once welcomed visitors with a splash page were simple affairs; all webpages were made from static HTML and there was nothing of value for hackers to make an attempt upon. The websites of 2020 are dynamically generated from data held within a database. Websites become easy targets when they are built from within online website building packages with friendly user interfaces, protected only by a password. The databases which power websites can hold information about Customers and purchases; it's this gold which the software robots of hackers typically mine for.
Yesterday I received email alerts from a Customer's website that four separate attempts were made to hack into a website. I received the alerts in realtime as the attempts were being made - our own content management system (Web Diffusion) checks the structure and content of every request made of it to decide whether the request comes from a friend or foe. Known as a MySQL injection, the style of attack I was alerted to was affixing a portion of database query onto the URL of the website. The hackers use this technique in the hope that the hacked database query would not be challenged and open-up access to or reveal the content of the database. In this instance, however, the incorrectly formatted URL was detected and an alert email was sent to my inbox.
This morning I downloaded the website's access_log so that I could undertake a security review of what other requests had been made of the website. What became apparent during that review was the increase in suspicious activity upon the site. Of all the website hits in just one day, just under 9% of requests made to the website were thought to be of human origin - the other 91% came from robotic, programmatic sources. Although many hits came from search engine robot crawls, a staggering 46.77% of all hits were from bad actors, looking for a back door into the website.
Cybercrime doesn't sleep. The biggest attempt upon this one website of ours lsted for 18 minutes and began at 17 minutes past 2 in the morning with multiple attack vectors originating from a popular webhost in Germany. The attempt was targeted at finding Wordpress login pages (but, because we don't go near Wordpress, none would have been found and we therefore sent the crawler packing with a bunch of HTTP 404 responses) and is characteristic of a first pass crawl to build a report of potential targets.
Regular readers of this blog will note a repeating theme that a hit website will be written not for the vanity of the owner of the website but written using the language of their Customers. This glimpse into the shady world of HTTP requests reveals that there's another kind of visitor that few give enough consideration to and that's the robot - the ones which never sleep and tirelessly go out on the web looking for known points of entry, susceptibilities and vulnerabilities. Robots don't enter your website through splash pages at the front of your website, robots lurk in the shadows, looking for back doors, brute forcing weak locks and trying every underhand method they know to con their way inside.
Don't let your guard down whilst you're on lockdown.
Sub@omic remains independent and open for business during lockdown. Our websites run 24/7/365 and never sleep. Our websites are not built from commonly encountered CMS - Web Diffusion is exclusive to Sub@omic and, therefore, our attack surface is small by design. We do not store your Customer data on our websites. In-built into every webpage is a threat detection and alert capability that, should the very worst happen, will alert us in real time and allow us to respond. Your website is routinely backed-up 4 times a day. Sub@omic treats system integrity and data security very seriously. When developing our website and database code, we operate on a basis of zero trust: trust nothing, question everything. If you have any concerns about the security of your website please get in direct contact with us.
Kia rite! Kia rite! Kia mau!
Ringa ringa pakia!
Waewae takahia kia kino nei hoki!
Kia kino nei hoki!