By

The main difference – between those that do and those that don’t

We are the ones who do malware removal. We work in the trenches

We are the ones who do malware removal. We work in the trenches

The main difference – between those that do and those that don’t.

This is something I’ve been toiling over for some time now and it’s reached a full boil.

I continually read blog posts and articles about what “you” should do to protect your website from hackers.

I read it, then read the bio at the end and it all makes sense – these people are not living in the world of website security. They’re not even vacationing here.

One article I read actually focused on one main actionable item for website owners looking to increase their website security – add a section in your agreement with your web developer that makes it their responsibility for all website security issues.

Really?

How many of you web devs out there, think that’s justified?

And more to the point, does it really make your website more secure?

Today I read a blog post about what you can do about website security. It started off with keeping software updated. Which is totally sound advice. However, after that the author talked about SQL injection and cross-site scripting. Not what you should do to prevent it, but what it is.

Does awareness make you more secure by itself?

Knowing one way that SQL injection can be successful does nothing to the majority of website owner’s website security.

Nothing!

That’s like saying that since I know it’s illegal to drive 60 miles per hour in a 45 mile per hour zone, that I’m qualified to be a lawyer. Does that little bit of knowledge make me qualified to practice law? I think not.

To turn this around and not have this just be my rant, here are some things you can do to increase your website security. This is advice from someone “in the trenches” (someone that “does”).

  1. First, make certain that someone is responsible for updating your software and your plugins. Don’t even think this is the same as that blog post referenced above about making it your web developer’s responsibility.

    I want you to be certain that it’s someone’s responsibility to login to your WordPress, Joomla, etc… and check for any core updates or any plugins, components, modules, etc. updates at least once every two days.

    You check your Facebook, Twitter, (insert other social media sites here) numerous times a day and that does nothing for your website security. So why not login to your website and see if there are any updates?

  2. Next, activate your log files. If you’re on a hosting account with cPanel, most hosting providers will have the Access logs off by default. They know that storage costs can sky rocket and drives their prices up and they know that probably nobody ever, other than us, ever reads them so they have access logs deactivated. However, that is the first thing we do when we log into your cPanel account is to activate them.

    In your main cPanel window, look for the section titled, “Statistics”. You’ll see an icon for “Access Logs”. Click on that and put a check in the top two boxes. This activates the logs and “flushes” the previous months logs at the end of each month. This prevents your local storage from going through the roof and having your account deactivated for performance issues.

    As much as I hate to admit it, nobody can guarantee your website will never get infected. However, with a forensic audit trail, we can at least determine how it happened so we can take steps to insure that the possibility of your website getting infected again, is less.

  3. Consider your circle of trust. Shameless plug: https://www.youtube.com/watch?v=oCLRaonXf8M

    We created this video to help you understand the concept of trust. If you use a web developer, an SEO expert, a blogger, an administrator, or a security company, you must realize that you’re trusting people they trust – without even knowing them. You should start analyzing your circle of trust.

    Watch the above video. Start thinking about who you trust.

  4. Create a separate FTP account for each user.

    If you have a web developer, an SEO expert and yourself all accessing your files, create a separate FTP account for each of you. That way if your website is infected via FTP, you (or us) can see in the FTP logs which user account was compromised and used to upload infectious/infected files to your website.

    Without that, you’ll only see one account and now you have no idea who’s computer was used to steal the FTP password.

    Often times, we see websites infected due to stolen passwords. These passwords are stolen by a virus/trojan on someone’s local computer and when that person logs into the website, either through FTP, CMS login, cPanel, etc., the virus/trojan steals the login URL, the username and password, sends it to the hacker’s server where it logs in as a valid user and uploads or injects malicious code.

  5. If you are using cPanel, create a separate cPanel account for each website.

    Then, if one website gets infected, the chances are the other sites will not due to the separation of accounts.

    You can suspend the infected website (cPanel account), get the malware removed and the website secured, then reactivate it – all without disrupting the other websites.

  6. Monitor your files.

    No, this is not another shameless plug. But the fact is that hackers are constantly changing their tactics. The only sure way to detect when your website has been infected is to monitor the files constantly. Not just once a day. Not from the outside like a browser. But actually monitor all the files and folders frequently to see if any file or folder has been added or changed.

Notice the slant above?

It presumes that your website will get re-infected.

That’s right!

Nobody can guarantee that your website will not get infected – NOBODY!

Understand the hackers are making money off of their work. They will not stop. All you can do is to follow advice from someone “in the trenches” and take the necessary steps to make your site less prone to being infected, setup a strategy for early detection and remediation and get back to doing what it is you do.

Post a comment about your thoughts on this.

By

Has security moved from prevention to detection and response?

Recently, Symantec’s senior vice president of information security Brian Dye declared that anti-virus is dead, as told to the Wall Street Journal.

Is it?

Has the security industry moved away from prevention to early detection and quick response?

I know when I started WeWatchYourWebsite back in 2007, I started preaching prevention. However, it became evident that nobody was interested. It appeared that people, even then, were more interested in early detection and quick remediation.

If you look at many of the startups and large security companies, it becomes real clear that most of the industry is focused on early detection and quick remediation. Is this like closing the barn door after the horses are out?

Is this giving up on prevention and focusing instead on early detection? That, to me, is like admitting defeat to the cyber criminals of the world.

Or, is it a different strategy?

In combat, whether your battlefield is on soil or a chess board, one key strategy is to lure your opponent into an area and then close in and destroy them.

Could this work in cyber security?

Of course, we’ll never catch the cyber criminals, unless they’re really lazy, but can we capture their methods? That would be considered a victory.

battleIn the book, “The Art of War” it states:

All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

If our deception is to lure the cyber criminal into our website, but record and report everything, then we can consider that a victory for the masses. That information can be used to protect other websites and prevent other sites from being successfully breached.

What do you think?

Should focus be placed on detection and response? Is that a sound strategy?

Share your thoughts…

Thank you.

By

Our automated malware removal software for VPS and dedicated servers

As some of you know, we’ve been busy adding more features to our VPS and dedicated server software.

I thought it was time to let you know what we’ve been working on.

Currently our software works amazingly well at detecting the instant any files are changed or added to a VPS or dedicated server. If infected, it quarantines the original file and cleans it. If the infected file is a backdoor, it automatically removes it.

However, that is where our software stops – until now.

Our latest upgrade now reads the log files as well. So when a file in the themes folder is infected for a WordPress site, our software reads the log files and knows that it was the result of a stolen passwords. We know get a notification like this:

2013/12/23:06:03PM Samplewebsite.com had /public_html/wp-content/theme/xyz/index.php, header.php, footer.php files infected with the following code:
(malicious code would be displayed here)
According to the log files, a successful login was recorded from: 123.456.789.000 (show country of origin). This indicates that a stolen password was used.

So, not only will our software be able to clean the site, but it can also determine how it happened so we know, as your website security department, what to do to protect it.

Currently,  for VPS and dedicated servers that are using cPanel, we can also determine if the infection came in through a form on the infected website, if it was FTP and many other methods.

As part of our next development, we are working on tying into cPanel so we can change passwords on the fly as well. Imagine that your site was infected due to stolen FTP passwords. Wouldn’t it be nice to have our software, change the password for you, record it and save it? That would be like self-healing.

This would prevent a reoccurrence of that infection. We get notified, you get notified. It’s a beautiful thing.

We’re also working on auto-reporting to hosting providers. In our above scenario, we see that the IP address of: 123.456.789.000 is for a certain hosting provider. Our system will send an email with sanitized log file entries to abuse@… notifying that hosting provider that they have an infected site/server that is being used to launch attacks on other websites. We do this manually now and it’s been working quite well.

The hosting providers have been very quick to take care of the situation which just removes one more infected system from the Internet.

Another development in this latest update is that all file changes are sent to us. That way we can further analyze them to determine if a new type of infection has been released. With over 500 installations of our software installed on clients VPS’s and dedicated servers, we’re growing our database of infectious code, which helps us – help you.

If you have any other needs or wants, please send them to me and I’ll research the idea and it could be included in one of our upcoming releases.

Questions? Let me know…

If you’re a hosting provider and would like to offer this to your VPS and dedicated server customers, feel free to contact me.

You can always contact me at: traef@wewatchyourwebsite.com

Thank you.

By

“Industry leaders…”

This is going to be somewhat of a rant.

In reading many blogs and websites, many of them in our own industry, we see variations of the term, “industry leading”.

I started doing some research on this and I have some questions.

If you’re a startup, how can you be leading the industry right out of the gates? I started this company back in 2008 and I don’t ever think about calling us industry leaders. We’ve cleaned over 138,000 websites and I don’t think about labeling us as industry leaders.

Even if you started your company years ago, by what standard do you consider yourself “the” industry leader?

Who is the industry leader?

I have no idea. I just know that if everyone is labeling themselves as industry leaders, are we at the bottom? I don’t think so. Our customers don’t think so.

If you look up self-proclamation (self proclaimed industry leaders) on wikipedia.com, you’ll see this definition:

describes a legal title that is only recognized by the declaring person and not any recognized legal authority

To me, self-proclamations are worthless.

What do you think?