It was quite a minor hack but losing my Web site recently certainly got me thinking. We know about the various kinds of digital attacks. Mostly, though, we just imagine problems happening to other people. If the digital world is to prosper, we will need to think differently.
For some reason, I looked at my Web site one evening and was shocked to find the usual home page had been replaced by a message from a Russian hacking group. Soon afterwards somebody wrote to me, pointing out the problem. Links to any part of my site simply brought up the hacker's message.
Contacting the hosting company resulted in an immediate change to my password and the suggestion that the usual cause was out-of-date software. Not knowing the route used by the hacker, I spent quite some time checking the core software was completely up-to-date. My efforts were actually in vain but that was revealed later.
The Web page left by the hacker gave a reference to a Web site and even left an e-mail address. Mainly out of curiosity, I wrote to ask why the site had been hacked. A couple of days later, I was surprised to get a reply, apologising for the delay and pointing out exactly what weakness had been exploited.
It turned out to be in an add-on component called Remository that provides for file downloads. No doubt I should have been aware of the issue sooner, since a search of the Web quickly gave further information on the software dating from last September. But the patch proposed at that time did not actually cover the hack to my site and further patches were needed.
Remository is open-source software and its author has abandoned it to deal with other pressures of life. I had to figure out the patches myself, which was not too difficult. Being reluctant to abandon a good piece of software, I finally decided to take over responsibility for the further development of Remository. After all, the spirit of open source includes the principle that if you want a job done, you can consider doing it yourself.
Problems caused by users finding ways to break systems started occurring long before the Internet age. But the combination of far greater exposure and a culture of rapid development has caused an increase in vulnerability.
Testing is all too easily confined to checking that simple cases work correctly. This does not prove that wildly inappropriate data or deliberately damaging data fall foul of validation checks.
And not all hackers will be so obliging as to install their own code only after renaming the official code so as to preserve it. Indeed, if I were a banking site one might suppose the consequences of a hack could have been very much more severe.
We are ill-prepared to face some of the worst possibilities online. Large numbers of Internet-connected computers have been subverted and many are made available to rent for practically untraceable attacks of one kind or another. It is also believed that as many as one-third of legitimate credit card numbers are known to criminals.
For the most part fraudulent use of cards is marginal and although banks fight it, some losses are simply counted as a cost of doing business. The countermeasures rely on picking up unusual transaction patterns, making checks and ultimately blocking cards. However, it has been suggested this leaves the possibility of a doomsday scenario.
A sudden, massive surge of fraudulent transactions would overwhelm the standard countermeasures, leading either to huge losses or to vast numbers of cards being disabled. The result would be a severe loss in consumer confidence and perhaps large financial losses.
Maybe that cannot happen or maybe the banks have an effective response ready. But unless we can think up possibilities of that kind faster than they can be deployed, there is a risk that our wired economy is excessively fragile. I can cope with my website disappearing but I would be very unhappy if my online bank disappeared.
biography
Martin Brampton is founder of Black Sheep Research, an independent consultancy providing research, writing and speaking services on a wide range of business and technology issues. Brampton was previously a director at Bloor Research, and has worked with IT as a user and analyst for over 20 years. He is a long-term contributor to silicon.com through videoed debates and his weekly column, which tackles a wide range of issues. He can be contacted through his Web site. This article first appeared on silicon.com.
4%
4%
It isn't only computers!
When you use a credit card - what happens?
You get your copy of the transaction slip - what do you do with it?
The merchant gets their copy - what happens to it? How many people see it? Who records the card number, name and expiry date? Even the other "code" on the back!
So far, Armaggedon hasn't happenned. Maybe one should only use a credit card in a "hole in the wall" - far more secure than a shop, restaurant or similar - let alone over the Internet.
David