When I was in college, one of my business instructors told us students that one of the biggest hurdles to making money in business is procrastination.
Procrastination is the killer of all that is good, if you ask me. Let’s take blog security.
I don’t think there’s a person out there that after learning just how much of a problem WordPress hacking is that it’s a good idea to enhance the security of their blogs. However, something I’ve noticed over the years is that when it comes to securing their blogs, bloggers seem to be stuck in this *reactive* state.
They don’t do anything until something has been done to them… until something bad has been done to them.
I live in Las Vegas. Las Vegas seems to be on the “bad” list for just about everything, crime included. It’s sad that I don’t feel real safe at night, but at least I have a house alarm which makes me feel a little more comfortable. Yes it is a reactive security feature I’ve set up, but it’s a proactive step. Many people don’t install house alarms until guess what? …they get robbed.
Why is that?
Because they get scared. It seems being scared is a big motivator. I scared one person when I emailed them to let them know I found a huge security hole in their website. Take a look at what I found:
If you click on the image above you’ll see that those are all database backups someone did for their blog. I found this (as well as many others) online and ready for download. If I were a bad, bad person, I could have done a lot of damage here, but instead I emailed the website owner their security problem. Hopefully they fixed the problem.
Let Me Show You Why You Need to be Careful
Since scare tactics seem to be what drives some people to take action (or at the very least start thinking about the problem), let me shoot a few scare tactics your way.
Let’s pretend I’m Joe the Butt Hole Hacker. I have nothing better and more productive to do with my life than hack into people’s sites and blogs and make their lives miserable. I don’t care about all the hard work and time you’ve put into your blog, I just want to break it.
Here’s some things I might consider doing.
1. Hang out at a local coffee shop or some other public area where there is free Wi-Fi.
After spending a few days and hitting a few spots around town, I finally find a cafe which offers free, unsecured Wi-Fi and to my pleasure, there are a ton of people sitting around each day connecting their laptops to the “free” Internet service. I sit down and use my handy dandy Wi-Fi cracker tool and log myself into people’s computers… remember, they’re all on a shared network.
From there it’s easy, all I need to do is upload a virus or key logger program so I can track your keyboard movements. “Hey look at that, that girl over there is logging into her blog. Here, let me see what she’s typing in her username and password for something.”
Lesson: Don’t trust free Internet connections. At least make sure the place uses a secured Wi-Fi connection if you’re going to use it.
2. Create fake online profiles
Since I (our fictitious hacker Joe) has nothing better to do with my time, I’ll go ahead and set up some fake social media profiles. Here, let me go to your blog and check out who your friends are and who you trust.
Got ‘em.
Now let me head over to one of your friend’s sites and take a couple screen shots of their blog, personal photos, and note a few names.
Got it!
Now it’s time to sign up for a new Facebook account and use this person’s name and identity to pose as your friend. Once I get it all set up, I’ll be emailing you posing as your friend and asking you to be friends with me on Facebook (or Twitter, or whichever social site).
Cool, now we’re friends. “Hey buddy, I’ve started doing blog upgrades. Tell you what, if you’ll do a review of my Facebook page and give me a little feedback, I’ll upgrade your blog for you – no charge. I’ll just need your username and password.”
Or perhaps it’s your computer I want. Instead, maybe I’ll just befriend you on Facebook and send a link your way telling you, “You gotta see this video! Click this link here.”
Oops, did I forget to tell you that link is not really a video? It’s a virus I created just for you!
Lesson: Don’t trust anyone online at all times. Yes you might make friends and over time you might even trust them, unfortunately, someone can use that trust against you.
Case in point: the other day my wife was watching Dr. Phil in the other room and when I heard him say something, I got up, walked out of my office and asked her to rewind it (oh how I love TiVo).
Dr. Phil said that someone was posing as him online and asking people to do something, like download a file or something… sorry, I forget now what that was. He said it was a fake site and he has never asked someone to download anything of the sort.
3. Password Guessing
As I (our fictitious Joe the Butt Hole Hacker) knows, people have way too many usernames and passwords to remember. You’ve got Twitter, Facebook, your online banking, LinkedIn, two blog logins, FTP, web hosting, etc. accounts which all come with logins and passwords you need to remember.
If you’re one of the proactive ones, I might find it a little harder to crack your password. But if you’re one of the reactive ones, I might just get you.
According to an article in the NY Times, one of the most popular passwords going around these days is 123456.
Lesson: Do I really need to say it?
I understand that since the birth of the Internet as we know it, things have gotten a lot harder to control and secure. People in 2010 assimilate 10 times the amount of information each day than people did in 1980 (that’s not a scientific study I did, just logic). I understand it’s hard to have a different username and password for all your online profiles, unless you use a program like Roboform (PC and affiliate link) or 1Password (Mac), which I HIGHLY suggest.
But realize that online security is something you really need to start thinking about. Don’t just be the reactive type, take steps to start protecting yourself today. Don’t let Joe the Butt Hole Hacker make your life miserable and turn all that you’ve worked so hard in creating come crashing down in a matter of seconds.
The point of this article is to hopefully get those of you who don’t think much about online security to start thinking.
So, did I put a little scare into you? Or is this just information you accept and figure if it happens, it happens?
February 1st, 2010 at 5:01 pm
Hey John,
That picture can’t be from someone on your hosting, right? I thought that it was a default setting to have directory listed disabled. But, I add it to my .htaccess file anyway!
Plus, spending less than $100 a year you can buy some nice VPN software, to help encrypt your traffic when you are using a “free” wifi.
Oh yeah, and I think I have seen an article like the NY one at least once a year and it is always 123456 or 12345, amazing.. If the site can’t handle long passwords, I try to get people to use a sentence, so capital’s, spaces and some numbers too if they can. Easy to remember, and more secure against brute force attacks.
How have you been anyway? I have been disconnect lately,
Jim Gaudet´s last blog ..Earthquakes are Rocking Costa Rica
February 4th, 2010 at 9:26 am
Hi Jim. No, that person wasn’t from our hosting, it was from a Google search I did. How easy and stupid is that?
You’re right, our hosting prevents directory browsing, so that .htaccess code isn’t really necessary; however, I know of some pretty well known web hosts that don’t disable it automatically, so when in doubt, just add it.
Re: how I’ve been I’ve been well. Pretty darn busy to be honest. I’m about to launch a new product but I’m not ready just yet to talk too much about it. The family is well… we just had my son’s 4th birthday party and that was fun.
How about you?
John Hoff´s last blog ..The Super Beginners for Dummies Tutorial on RSS Feeds
February 5th, 2010 at 2:59 pm
I’m scared John… I’m scared.
Got most of my security info from your various posts… thanks for that.
It stopped me making my blog look pretty and made me start making it secure.
Good to hear that you are busy.
I’m off now to check your “The Super Beginners for Dummies Tutorial on RSS Feeds”
Keith Davis´s last blog ..Practice, practice, practice…
February 6th, 2010 at 4:33 pm
I see you shivering over there, Keith heheh.. just kidding.
I’m glad you understand the problem and have taken action. Many people understand the problem but do the worst possible thing… procrastinate.
February 10th, 2010 at 9:34 pm
F-Secure may slow down your windows, but hey, i dont care. The only thing i care is that this anti-virus can protect me from sploit packs and zeus and shit. And thats enough for me.
February 13th, 2010 at 6:10 pm
Well worth the trade-off. Now days our computers are so fast that if a program like F-Secure slows it down, you can easily speed it up with hardware.