Here’s a lesson in web security, taken from a story about maritime pirates.
According to a recent RISK Labs report from Verizon, a security team from the company was tapped to help a global shipping company deal with its pirate problem.
Although the shipping company had dealt with pirates before, something changed in recent months that raised alarm – the pirates began targeting specific ships and even specific containers to find what was most valuable to them.
Rather than hijacking a ship and holding the crew hostage for days, the pirates were in and out in a matter of hours.
It soon became apparent that the pirates knew the contents of every crate being shipped, using bar codes on the shipping containers to identify and steal only certain items, leaving the rest.
As Verizon discovered, the pirates had exploited an unpatched vulnerability in the shipping company’s homegrown content management system (CMS) to create a backdoor, which they used to access records of shipping routes, schedules and container contents.
According to Verizon’s report:
The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required. Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands.
Fortunately, the shipping company’s network was segregated by a firewall, so the attackers were contained to the one server they had compromised.
And the pirates made some crucial mistakes, failing to keep their activities and location secret.
The attackers didn’t use an encrypted connection, so it was possible to sniff the contents of their traffic, and they didn’t use a proxy, so the shipping company was able to shut off the attacks simply by blocking the IP address of the attackers.
Protecting your web servers
The pirate story is a rather extreme example of what can happen if you don’t secure your web server and CMS, but the consequences of web attacks can be just as devastating for a small business.
Here are some tips for locking down your web server and CMS:
- Pick a proper password for your web server, content management system or blog. You can learn more about password security in this short video.
- Consider using two-factor authentication. Requiring a one-time code to complete your login means you can’t be compromised by a stolen password alone.
- Review all your server access permissions. Make sure that guest users, for example, can’t modify files they aren’t supposed to.
- Make sure your server is patched against security holes. This means updating the operating system, blogging or web server software, your site’s themes and plugins, and much more.
- Run a real-time anti-virus on your server. Yes, even if it’s Linux. By the way, Sophos Anti-Virus for Linux is 100% free for desktops and servers, at work and at home.