We’ve all seen this image in the news the past week …
How many of you got a sick, sick feeling when you heard about the ransomware attack? How many of you thought: there but for the grace of God go I? How many of you checked your computers? How many of you checked your kid’s computers or your parents computers?
Malicious hacking. Extortion. Blackmail.
I was being interviewed on radio during the week and the interviewer pointed out – quite rightly – that it used to be the case that malware only wanted to make a point. Authors of malware simply wanted to piss you off … your files have been trashed
But now – they’ve discovered that that they can make money – pay us a ransom and you can have your data back
And as we all know – when money is driving an activity – it gets a life of its own
This is a google search, requesting a listing of all the pages on a well known Irish website – this was done a few years ago
If you went the front page of that website, it looked fine. All the usual pages and posts were exactly where they were supposed to be – but it had hundreds of new pages added – each one devoted to the selling of a particular prescription pharmaceutical.
If this was your website – your blog – your bandwidth – your web hosting resources are being spent on flogging prescription drugs online – illegally I might add
What’s the motive here? These aren’t pranksters – this is money – criminal money – and your blog is owned.
Sometimes it’s a prank – sometimes it’s political
This was a lawyer’s blog – professional blog – hacked to make a political statement
This is bad enough – to have your website defaced – or used to sell pharmaceuticals illegally
But hacked websites are also used to spread malware infections. To trick users into downloading programmes which will infect their computers – create botnets which can be used for denial of service attacks – or to send out spam.
Or to infect users with ransomware …
Which is why Google created the Google Safe Browsing initiative ….
How many of you have seen this message on the web? This is what happens when you put in the the name of a website – or click on a link, and instead of taking you there, your browser (Chrome in this case) says – hang on a minute. Are you sure you want to do this?
Wow – you say – dodged a bullet there – whew! But what if you’re the owner of that website? There goes that sick feeling in your stomach again.
And the result of getting hacked is that you can get blacklisted by Google
Google isn’t being malicious here – it’s trying to protect end-users – your readers – from visiting a site which has been compromised
The site may have been defaced – or it may be infected with malware – which can infect the devices of users who visit your site
The thing is - when google blacklists your site - you may not even know about it.
If your site gets thousands of hits a day, if you’re earning advertising revenue from that traffic, selling products and services, or referring traffic to other sites … you may find your revenue is turned off like a tap – and you don’t even know about it
30,000 websites per day hacked 10,000 websites blacklisted by Google Safe Browsing Owners may not even be aware of blacklisting Average of 3-7 business days to remediate
Three elements to a website
Domain Name: Address of your site Registered with a domain registrar Address Domain Name System An entry in a database
‘For this domain name, go to that computer’
Hosting Physical location of your site A computer housed in a data centre Dedicated hardware, or virtual machine, or shared hosting Windows, Linux OS Apache or IIS Web Server
e.g. postcode Contains no information about the physical location DNS is like the post office. Looks up the Eircode (domain name) and gets a physical address (IP address)
e.g. physical location IP address is like a map reference A physical location in the internet routing system Computers in datacenters are like buildings with multiple apartments (websites)
e.g. furniture Carpet or tiles Gas or electric Standard interface: i.e. doors and windows House rules: shoes on or off? (e.g. comment policy)
This is the last known photo of your web developer, before he went off to find himself
There’s no phone signal
He’s got all the passwords – or at least he had before he achieved enlightment
Domain Loss of control of domain name Domain name expiry Who controls your domain name?
Hosting Hosting expiry Hosting failure Who controls your hosting?
Software Website hacking Software out of date Third Party Plugins no longer supported Who has access to your CMS? Is your site backed up?
Make sure that YOU are registered as the ‘Owner’ of your domain name You can choose to add other people as Admin, Billing or Technical contacts Know the login details for the account with your domain registrar Watch out for Emails about registration requirements, contact validation and expiry dates Use auto-renew to avoid loss of your domain name due to expiry
Also – Acronis
Backup any machine Laptops, Desktops & Servers Local & Cloud Storage Secure, Encrypted
• Revenue Loss
– €5,600 is the average cost of downtime per minute
(UK/Ireland based small and mid-sized businesses with less than 1000 employees)
• Reputational Damage
Cost of a Compromised Website
Domain Name SoftwareHosting
What Makes a Website?
• Domain name is registered in someone else’s
• Hosting is registered in someone else’s name
• Blog software is obsolete or infected
• Website is not backed up
Help-Desk Hard-Luck Stories
Domain Name SoftwareHosting
Avoiding catastrophe requires that you manage
• Make sure that YOU are registered as the ‘Owner’ of your domain name
– You can choose to add other people as Admin, Billing or Technical contacts
• Know the login details for the account with your domain registrar
• Watch out for Emails about registration requirements & expiry
• Use auto-renew to avoid loss of your domain name
Domain Name Protection
• Is the hosting account in your name? Do you have access to log in to it?
– Talk to your developer
• Is the type of hosting adequate to your needs?
– Ask about traffic and storage limits, uptime and support.
• Keep Wordpress & Plugins up-to-date
– If you have a developer, agree a maintenance contract
• Remove any themes or plugins you are not using
• Don’t use the default ‘admin’ username
• Remove any user accounts that aren’t required. Make sure users have
• Choose strong passwords
• Don’t share passwords
• Don’t reuse passwords
• Use a password manager such as LastPass
Backup & Restore
• Schedule automated backups daily
(weekly or monthly as required)
• Restore with One Click
• Backup website and database
• Ideal for Wordpress hosting
• Secure encryption and transfer
• Google Blacklist Monitoring