Is your website secure?
Sunday, 8th November 2015
There’s a lot in the news recently about websites that have been hacked into and personal information stolen. Talk Talk, Marks and Spencer and British Gas have all recently faced embarrasing national headlines. So what is going on and how secure does your website need to be?
You’ll probably have come accross websites that have an SSL certificate. Your web browser will display a padlock next to the web address and sometimes security the whole address bar will go green to indicate secuity. What this means is that all the data sent between your web browser and the web server is encrypted, so a human can’t read it. This is important because the data going to and from a web server goes though lots of pieces of equipment: Your home router (or cafe, hotel, pub etc), the green telephone exchange box on the street, the main telephone exchange, through various routers around the internet to another telephone exchange, then through various routers and a firewall to the web server (it’s amazing it all happens so quickly!). At any one of those hops, it’s reletively straight-forward for someone to take a feed of all the data you send and receive from your web browser. Having the data encryped with an SSL certificate means it’s almost impossible to decrypt the data and read it.
Then what happens to my data?
Once your data has reached the web server, it’s usually decrypted and stored in a database. So whilst your data going to and from the website is secured, you’re then in the hands of the website provider.
All website providers should encrypt user passwords at least. That means that nobody can read the password you use for their website. Realnet for example can’t see the passwords used on any of our clients’ websites, because it’s all encrypted.
The rest of the data you store on a website is often NOT encrypted, to help websites run faster and provide relevant content to you. This is standard practice in the industry. The more valuable your website data becomes the more you need to think about what additional information you should encypt. Large companies, like Talk Talk, are prime targets for hackers because they hold the personal data of millions of people, so they should be considering how this information is stored. Amazingly, even after the recent hack the Talk Talk CEO didn’t appear to know if their customer data was encypted when interviewed on BBC Radio 4, despite this being the third hack they’ve experienced in 12 months. There’s even a possibility that bank details of their customers wasn’t encrypted, which would be unforgivable if true.
How does a hacker get to the data?
The easiest method is called “SQL Injection”. It’s basically when a hacker puts some code into a form or search box on your website. If the website is poorly setup the code gets executed when you submit the form and then you can get hold of all the database information. A website should have protection for this setup, so as soon as it sees any coding going into a form, it will know not to run the code. It appears that Talk Talk had a form somewhere on their site which didn’t have this protection, which is how a 15 year old managed to download all the customer data.
Hackers otherwise rely on security flaws in the platform the website is built on. Open Source packages, such as WordPress, Joomla or Magento, are by their very nature open. So a determined hacker could go through all the core platform code and find a weak spot to try and exploit. These platforms are used by millions of websites accross the globe, so it’s worthwhile for a hacker to spend cosiderable time finding the weak spot, because once found they can then exploit it on millions of websites. Of course, these platforms also have a user community who will identify and fix bugs for ethical reasons too. This is why if you run an open source website platform, it is essential that you keep it up to date with versions and fixes to ensure it remains secure.
As always, there is commercial pressure involved in how secure you make your website. It’s a balance between how valuable your data is, how big a target you are and how much you’re willing to spend on security. You could easily double the budget of your next website rebuild if you wanted to try to cover every base. You might then even hire another company to perform intrusion/penetration testing on your website, to check it’s not easy to hack into.
We hope you found this article was useful and has given you a little more knowledge of the importance of website security.
British Gas leak: http://www.bbc.co.uk/news/technology-34663210
Marks and Spencers website fault: http://www.bbc.co.uk/news/technology-34656818
Talk Talk hacked: http://www.bbc.co.uk/news/uk-34627541
Talk Talk didn’t protect their data: http://uk.businessinsider.com/talktalk-didnt-use-encryption-hack-protect-4-million-customer-details-2015-10