5 Life time lessons to be learned from MilitarySingles.com Hack

If you want to make you website more secure, you should learn from recent breaches and vulnerabilities leading to the hactivities. Latest hacks proves that carelessness about security is the main culprit of such activities. There were outdated scripts and old mechanism were used on the website which made the work easier for hackers.

Vatican, goverment websites (hacked by anonymous) and MilitarySingles.com hacks are one of such examples. DDoS attack is the last attempt used by any hackers to make a website vulnerable. Hackers often choose easier way to get into the website's control.

Let's look at the 5 common (basic) habits a webmaster must follow to make their website secure.

 

1) Accept hacktivities:

Whenever you have security breach or if you have suspect about such behaviour on your website -- never neglect or let it pass through you eyes. The last public statement from MilitarySingles.com dates from March 28, 2012, when an administrator continued to deny that the site had been hacked, despite attackers releasing a decrypted user database--allegedly from the site--and then uploading an arbitrary image to the site. (The parent company of MilitarySingles.com, ESingles, did not immediately respond to a new request for comment.) Numerous security experts believe the site was indeed exploited, but that administrators had failed to spot the breach. "A denial-of-service attack is visible; you can see that the site is unavailable," said Tal Be'ery, the lead Web security researcher for the Imperva Application Defense Center. "But when all of the data is stolen--which is a much more grave and serious problem--the hacker can do it without leaving any trace, if you don't have the right equipment." Attackers with commercial or economic aims in particular, he said, rarely leave obvious traces.

 

2) DDoS Attack is precious tool:

DDoS attack is the last attmpt a hacker targets to your website, because it is easier to get access to your website through minor security vulnerabilities than setting up a costly DDoS (distributed denial of service) attacks.  "Hacktivists prefer to hack websites with Web application vulnerabilities, because if there are vulnerabilities, it's a lot easier than creating a denial-of-service attack," said Be'ery. "You could say that a denial-of-service attack is the last resort of an attacker; he hasn't found any easier way to hack into the server."

 

3) Don't Trust web 2. Functionality:

With MilitarySingles.com, "attackers abused a file-upload mechanism that was only supposed to be used for pictures, and were able to upload an executable file, execute it, and take over the server," he said. Accordingly, treat any such must-have website functionality that adds a security risk with extreme caution. "You can't imagine a dating website that doesn't include pictures, so you must include this functionality, but you also must do it safely," said Be'ery. "Web 2.0 is all about sharing user content, but when you allow users to upload arbitrary data into your Web servers, this is a problem, because usually a file on your server is something that's trusted." And not least by the server's operating system. In other words, watch for all weak points attackers can potentially abuse.

 

4) Segregate uploaded files:

With a server tending to trust files stored on the server, do what Facebook and Google do: keep user-uploaded content away from critical servers in case it's malicious. "You can see that pictures on Facebook aren't served by Facebook.com, but by a different domain name, and there are different servers, permissions, and environments," said Be'ery. [Code] isn't allowed to execute on those servers, and they also validate the content of that file. If it's supposed to be a picture, then it's validated--on the server side--that it's a picture and not some executable code."

 

5) Apply modern password hashing:

After exploiting the MilitarySingles.com site, attackers accessed a database containing users' passwords, which were hashed using the MD5 algorithm. "They weren't stored in plaintext, but MD5 is an outdated algorithm these days--known to be broken since 2004--and it's very easy to brute-force the hashed password back to the root password," said Be'ery. "So hashing is a good way to store the passwords, but you need to use updated algorithms ... and SHA-256 is a good candidate."