DreamHost, my favorite web host, yesterday announced that there had been a cyber-break-in at their facilities.

A very small subset of our user accounts have been compromised due to a security flaw in our web control panel software. We have already notified those of you affected directly via email…

The security flaw allowed the attackers to log into our customer web control panel with the access privileges of another user. From our web panel they were able to access individual user password information. The attackers also attempted to gain access to our central database and billing information but were ultimately thwarted in that attempt. No credit card information or customer personal information was obtained.

We will soon be making an official post about this situation and the steps being done to safeguard accounts in the future on the DreamHost blog…

As a result of this break-in, several high-profile websites were hacked. And not in an obvious way. Rather, the crackers set up their computer to put hidden links on the website’s page, links that point to their spam sites. This is good for the crackers’ spam sites, because it means search engines will find these sites and people are more likely to find them… in the the short term. In the long term, it can be bad for the hacked sites, because the search engines always figure out which sites are spam, and they figure that if you link to a spam site, your site is also probably a spam site.

Of course, this post is one of the things I love about DreamHost. See, the thing is, I was not affected. No one broke into my account. No one hacked my websites. DreamHost didn’t even have to tell me what happened. But they did. Most hosting companies don’t even have a status site, like DreamHost does, and can’t even publish this sort of information. With those companies, I probably never would have known there was a break-in.

What’s more, break-ins like this do happen. They can happen with any company, especially with shared web hosting. They can happen on any web site. Every single host on the Internet is hit many times a day with attempts to crack into them. (This includes your home computer, by the way.) And every single piece of software deployed on the Internet is likely to have at least one security flaw.

So how do you protect yourself against the risk of your website being cracked?

The advice you usually hear is to use strong passwords, to use a different password with every account, and to change your passwords regularly. I believe one person even echoed that advice in the aftermath of this break-in. And it’s good advice… Except that this would not have stopped the crackers in this case. Nor would it help in most cases. Using strong passwords and changing passwords, that makes it more difficult for someone to guess your password. But it doesn’t help if they can sneak in through the back-door, completely bypassing your password, as the crackers did in this case.

This is the most common type of cyber-break-in. And the best way to guard against something like this happening to you is to assume that it will happen. Have a plan to contain, mitigate, and recover from the break-in. This addresses the worst that could happen (that your website could be destroyed) turning it into an annoyance (you need to change all your passwords and restore your website from a backup).

1. The most important thing you can do is to keep regular backups. This includes backing up all your databases as well as your files. And also keep a record of your hosting account configuration, such as email addresses and hosts, so you can restore it— Or transfer it to another hosting provider if something awful happens. We usually think of keeping backups to guard against hardware failure. And indeed, I have lost much more data due to my computer’s hardware breaking than I have from malicious people cracking into my computer. But the same strategy works in both cases. Because you can use the backup to recover your website, regardless of how it was corrupted.
2. Install security updates for your web software, and conduct a security audit on your custom web software. This makes it more difficult for crackers to break into your website software, because most cracks exploit known security holes. Security updates plug these holes, and security audits help make sure your custom software doesn’t contain any known security holes. This is key. But it only makes sense if you have backups, because it only reduces the already slim chances that your website will have a break-in. Only a backup will mitigate the cataclysmic damage that could occur.
3. Keep different levels of information separate, and share only on a need-to-know basis. This is why the DreamHost crackers could not access any credit card numbers or other financial information. Because that information is stored on a separate computer, and the web panel can’t access it. This only applies to more complex systems. Amazon does the same thing with their user accounts. If someone breaks into your Amazon account, they can’t get any of your credit card information. The worst they can do is to screw up your Amazon Wish List and order you a bunch of stuff that you didn’t want. They can’t even have the stuff shipped to their mailing address, because Amazon requires you to verify your credit card data before you can do that.

So, will this news cause me to switch from DreamHost? No. Will it cause me to change my website’s policies or web software? Uh, no, actually. I’m already all set. I may, however, accelerate development on a website-backup package that’s on my potential-future-products list.

-TimK

Technorati Tags: security websites